Meet Another Addition To the Dharma Family: Ztax Ransomware

Ransomware attacks have become one of the most disruptive forms of cybercrime, targeting individuals and organizations alike. Ztax Ransomware is part of the notorious Dharma ransomware family. While ransomware typically aims to extort victims by encrypting their data, Ztax presents its own unique traits that make it particularly concerning.

What is Ztax Ransomware?

Ztax Ransomware is a data-encrypting threat that locks victims out of their files and demands payment for their release. This ransomware, like others in the Dharma family, adds its own extension to encrypted files. Infected files are renamed with a unique victim ID, an attacker-controlled email address, and the ".Ztax" extension. For example, a file named "photo.jpg" would be altered to "photo.jpg.id-12345.[taxz@cock.li].Ztax," making it unusable without decryption.

Once Ztax completes the encryption process, it drops ransom notes onto the victim's machine. These notes appear both in pop-up windows and in text files named "manual.txt," which are found on the desktop and within all encrypted folders. The ransom note is relatively brief, instructing victims to email the attacker for further steps to recover their data.

Here's what the ransom note says:

All your files have been encrypted!

Don't worry, you can return all your files!
If you want to restore them, write to the mail: taxz@cock.li YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:taxz@cyberfear.com

Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The Ransom Demands and Encryption Process

Like many others, Ztax Ransomware demands payment in Bitcoin for file decryption. Victims are told they can test the decryption process by sending up to three files to the attacker, offering some assurance that paying the ransom might work. However, the attackers provide a warning against using third-party tools or attempting to modify the encrypted files, threatening further damage to the data.

One notable characteristic of Ztax and other Dharma ransomware variants is that they do not encrypt critical system files, which means the device remains operational even after the attack. This sets it apart from some other ransomware types that can completely incapacitate a system. However, this doesn't diminish the impact of the attack since losing access to personal or business-related files can be devastating.

How Ztax Ransomware Spreads and Persists

Ztax Ransomware, like other Dharma variants, often spreads through vulnerabilities in Remote Desktop Protocol (RDP) services. Attackers commonly use brute-force methods to gain access to poorly secured systems. Once inside, they disable firewalls and launch the ransomware attack. Phishing and social engineering are also common methods of infection, with malicious attachments or links in emails being a primary delivery mechanism.

After infecting a device, Ztax ensures persistence by copying itself to specific locations within the system, such as the %LOCALAPPDATA% path. It also registers with certain Run keys, enabling it to start automatically after every reboot. This persistence ensures that the ransomware continues to affect the system until it is removed.

What Ztax Ransomware Wants

Like all ransomware, Ztax ransomware's primary goal is financial gain. It demands payment in Bitcoin, a cryptocurrency favored by cybercriminals due to its relative anonymity. However, paying the ransom does not guarantee file recovery. In many cases, victims never receive the decryption keys or software, even after complying with the attackers' demands.

Ztax's ransom note emphasizes the risks of attempting to recover files using third-party tools or asking for help from external services. This is a scare tactic often used to coerce victims into paying, even though recovery is far from certain.

Prevention and Recovery from Ztax Ransomware

Once Ztax Ransomware has infected a system and encrypted files, removing it will not restore the compromised data. The only reliable way to recover files is by using backups that were created before the infection and stored in a safe, disconnected location. Unfortunately, Ztax also deletes Volume Shadow Copies—an automated backup feature in some systems—eliminating this as a potential recovery method.

To prevent such attacks, users and organizations should maintain strong security practices. This includes keeping backups of important data in multiple secure locations, such as remote servers and external storage devices. Additionally, robust credential management and regularly updating security software can help mitigate the risk of falling victim to ransomware.

Lessons from the Ztax Ransomware Attack

Ztax Ransomware is another reminder of the importance of proactive cybersecurity measures. Its ability to encrypt files without rendering the system inoperable may make it seem less severe, but the damage it causes can be long-lasting and financially crippling. The Dharma family of ransomware continues to evolve, exploiting vulnerable systems and unsuspecting users.

For everyone, the key to protecting against ransomware like Ztax is vigilance. Avoiding suspicious downloads, implementing strong password policies, and securing RDP services can significantly reduce the risk of an attack. And most importantly, having up-to-date backups in place ensures that even if ransomware strikes, recovery is possible without paying into the hands of cybercriminals.

By Willa
October 22, 2024
Ransomware
English
October 22, 2024
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

5 months ago

Maxask.com: The Deceptive Search Engine & Max Ask

4 months ago

Altisik Service: What It Is and Why It Matters

2 months ago

Why ZoomFind Aggressively Modifies Your Browser's Settings

6 days ago

Don't Let $DOGS Airdrop Scam Snag Your Crypto Funds

2 months ago

Related Posts

Ransomware

Cip Ransomware Joins the Dharma Ransomware Family

Ransomware is a malicious software that blocks users from accessing their system and encrypts the files. The ransomware then demands payments in exchange for releasing the encrypted files. Ransomware is usually... Read more

January 20, 2022
Ransomware

Po Ransomware Expands Dharma Family

A newly discovered ransomware named Po is the latest strain to join the already large family of ransomware clones based on the Dharma ransomware. Po works as expected for a ransomware variant, encrypting files on the... Read more

August 3, 2022
Ransomware

K1ng Ransomware Joins Dharma Clone Family

There is a new ransomware variant in the wild, using code belonging to the Dharma ransomware clone family. The new version is called the K1ng ransomware. K1ng behaves as expected - it encrypts files on the victim... Read more

August 30, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.