Zeoticus 2.0: Nasty Ransomware Strain Receives Major Upgrade

Starting from December 2020, a new version of Zeoticus ransomware has been actively targeting users in the wild. Zeoticus 2.0 comes with better performance and enhanced offline capabilities, posing a bigger threat to businesses worldwide. 

What is Zeoticus Ransomware?

Zeoticus is a relatively new malware sample that appeared in the cyber threat arena in December 2019. Similar to multiple other malicious siblings, Zeoticus is promoted under the ransomware-as-a-service (RaaS) model on various dark web forums and markets. The malware is currently Windows-specific, being able to target all existing versions of Windows OS, including Windows XP and earlier.

Zeoticus has two main distribution methods. The first one is malware-laced spam emails. And the second one is third-party software integrations pushed by websites rendering free hosting services and pirated peer-to-peer (P2P) downloads. Notably, the ransomware can perform geo-checks to avoid targeting users from Russia, Belarus, and Kyrgyzstan. Such selectivity gives grounds to believe Zeoticus operators might be of Russian origin.

Zeoticus 2.0 Enhanced Functions

The new Zeoticus 2.0 version, released in September 2020, significantly exceeds its predecessors in speed and efficiency due to enhanced encryption algorithms. Also, the malware got a noticeable upgrade of its offline capabilities, now being able to execute its payloads without relying on a command-and-control (C&C) server.

The report from Cyber Security Associates details that Zeoticus 2.0 applies a combination of asymmetric and symmetric encryption to improve its performance. The symmetric side relies on XChaCha20, while the asymmetric side uses the mix of Poly1305, XSalsa20, and Curve25519. Such an approach serves well for locking the majority of valuable files on the victim’s device, including archives, audio files, databases, documents, images, presentations, spreadsheets, and videos. The latest ransomware version also received the ability to lock remote drives and kill system processes able to prevent encryption routine, research from SentinelOne says.

During the encryption process, Zeoticus compiles a new volume with a ransom note inside on the fly. The note instructs victims to contact the attacker via email, unlike other ransomware gangs that typically prefer an onion-based payment portal or similar. Also, a copy of the ransom note is left at the root of the system drive.

Zeoticus 2.0 Detection

Enhance your proactive defense from Zeoticus 2.0 ransomware with a fresh Sigma rule released by our prolific Threat Bounty developer Osman Demir:

https://tdm.socprime.com/tdm/info/8DlhPQ0Osvzi/7j4JpncBTwmKwLA9R-kf/

The rule has translations to the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, LogPoint, Humio, RSA NetWitness, FireEye Helix

MITRE ATT&CK:

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)

Throughout 2020, ransomware confidently took the leading positions among the threats challenging businesses of all sizes. Therefore, timely detection of malicious activity becomes a priority task. Check dedicated detection rules from SOC Prime on Threat Detection Marketplace to protect against major ransomware families of 2020.

Subscribe to Threat Detection Marketplace to super-charge your cyber defense capabilities with an industry-first content-as-a-service (CaaS) platform. Our library aggregates 95,000+ Detection and Response rules, parsers, search queries, and other content mapped to CVE and MITRE ATT&CK® frameworks. Interested in creating your own detection content? Join our Threat Bounty Program and contribute to the community efforts in combating constantly emerging cyber threats.