FANDOM


ZeroRansom is a ransomware trojan that was released in July of 2017. ZeroRansom seems to be developed by the same people that created other recently released ransomware variants such as the Lalabitch ransomware and the J-Ransom, both also released in the final week of June and the first week of July 2017. 

Payload

Transmission

Like various other ransomware trojans released in the same timeframe, ZeroRansom may be delivered using corrupted spam email attachments.

Infection

Once ZeroRansom is installed, it will scan the victim's computer for certain file types. ZeroRansom will encrypt the files located on all local drives, as well as all storage associated with the infected computer, including removable memory devices connected to the victim's PC and directories shared on a network. ZeroRansom will use a strong encryption algorithm to encrypt these files, making them unrecoverable. The version observed by PC security researchers was capable of encrypting the following file types:

.7z, .bat, .c, .cpp, .cs, .db, .dll, .doc, .docx, .gif, .jar, .java, .jpg, .mp3, .mp4, .pdf, .peg, .png, .ppt, .pptx, 
.rar, .sln, .txt, .xls, .xlsx, .zip.

ZeroRansom will mark three files affected by the attack by adding the file extension '.z3r0' to each affected file's name. ZeroRansom will display a ransom note on the infected computer after encrypting the victim's data. This ransom note, a text file named 'EncryptNote_README.txt' will alert the victim of the attack, but will not display any contact information or payment instructions, which could allow the victim to pay a ransom to recover from the attack (the whole point of ransomware attacks like ZeroRansom). The following is the notification displayed inZeroRansom attack:

All your important files have been encrypted by ZeroRansom. Please follow instruction below to keep your file
1. Don't try to do anything stupid like delete the encryptor or terminate its process.
2. Turn off your anti-virus program and make sure it hasn't deleted any file of the encryptor
3. Follow these rule strictly, or your files will be deleted FOREVER
4. Thanks for reading this. Have a good day, sir. :)

ZeroRansom has been linked to two Gmail accounts: 'zerounix48@gmail.com' and 'zerounix32@gmail.com.'Con artists responsible for these attacks will rarely use public email accounts like these because they can be blocked or intercepted easily. This may mean that the people responsible for ZeroRansom's attacks are not very sophisticated.

Community content is available under CC-BY-SA unless otherwise noted.