Zola is a rebrand of the Proton ransomware family, retaining core Proton features while adding techniques to hinder recovery and forensics, including mutex-based execution control, boot configuration changes, and ChaCha20 encryption. The analysis highlights the attackers’ use of common credential harvesting and privilege-escalation tools, plus recovery-impeding steps and notable protection by Acronis Active Protection. #Zola #Proton #Mimikatz #ProcessHacker
Keypoints
- Zola is a rebranded version of the Proton ransomware family.
- Attackers deploy familiar tools such as Mimikatz, ProcessHacker, Sysinternals Process Explorer, Advanced IP Scanner, EMCO Unlock IT, and Windows Defender bypass utilities.
- The ransomware creates a mutex to prevent concurrent execution (4B991369-7C7C-47AA-A81E-EF6ED1F5E24C).
- It checks for administrative rights and implements a kill switch based on Persian keyboard layout.
- Registry values are created to store victim information and modify system settings (e.g., HKCUSoftwareProtonpublic, HKCUSoftwareProtonfull).
- Shadow copies are deleted and boot configuration is altered to hinder recovery (vssadmin, wmic, BCDEdit).
- ChaCha20 is used for encryption, with notes claiming AES; disk slack space is filled to impede forensic recovery.
MITRE Techniques
- [T1003] Credential Dumping – Brief description of how it was used. “Utilizes Mimikatz to extract credentials from memory.”
- [T1055] Process Injection – Brief description of how it was used. “Uses ProcessHacker and other tools to manipulate processes for privilege escalation.”
- [T1486] Data Encrypted for Impact – Brief description of how it was used. “Encrypts files on the victim’s system to demand ransom.”
- [T1124] System Time Discovery – Brief description of how it was used. “Modifies system settings and boot configurations to prevent recovery.”
- [T1222] File and Directory Permissions Modification – Brief description of how it was used. “Changes registry values and file permissions to control access.”
- [T1059] Command-Line Interface – Brief description of how it was used. “Executes commands via cmd to delete shadow copies and modify boot settings.”
Indicators of Compromise
- [Mutex] 4B991369-7C7C-47AA-A81E-EF6ED1F5E24C – used to prevent concurrent execution.
- [Registry] HKCUSoftwareProtonpublic, HKCUSoftwareProtonfull – stored victim information and settings.
- [File] C:.tmp – temporary file created during preparation.
- [File] C:UsersAppDataRoamingMicrosoftWindowsStart MenuProgramsStartup.exe – startup copy of the malware.
- [File] C:ProgramData.bmp – altered wallpaper file.
- [Email] amgdecode[@]proton[.]me, amgdecode[@]onionmail[.]com – ransom note contact addresses.
- [File] #Read-for-recovery.txt – ransom note filename.
- [Extension] .Zola – ransom note extension.