Zola Ransomware Detection: Proton Family Evolves with a New Ransomware Variant Featuring a Kill Switch

Following in-the-wild attacks exploiting CVE-2024-37085 by diverse ransomware gangs, defenders encounter a new variant of the nefarious Proton ransomware family dubbed Zola. Zola strain displays sophisticated capabilities as a result of the ransomware family’s multiple iterations and upgrades, incorporating privilege escalation, disk overwriting functionality, and a kill switch that terminates processes if a Persian keyboard layout is detected.

Detecting Zola Ransomware Attacks

According to a Statista report, there were 317.59 million ransomware attacks globally in 2023, highlighting a continuous escalation in both the scale and sophistication of these attacks. Ransomware gangs steadily evolve their malicious toolset, with new malicious strains emerging on the cyber arena daily. 

The latest menace for cyber defenders is a new variant of the Proton ransomware family, dubbed Zola. To detect Zola attacks in their earliest stages, security professionals can rely on the SOC Prime Platform for collective cyber defense, which aggregates relevant detection rules and offers advanced threat detection and hunting solutions to strengthen organizations’ security posture.

Press the Explore Detections button below to instantly access a comprehensive detection stack designed to address malicious activities associated with Zola ransomware attacks. All detection rules are compatible with over 30 SIEM, EDR, and Data Lake solutions and are mapped to the MITRE ATT&CK framework. Furthermore, the detection algorithms are enriched with extensive metadata, including CTI references, attack timelines, and triage recommendations, streamlining threat investigation.

Explore Detections

Security experts looking for additional detection content to tackle the latest ransomware attacks and investigate their evolution retrospectively can rely on SOC Prime’s Threat Detection Marketplace. By applying the “ransomware” tag, cyber defenders can find a comprehensive collection of relevant rules and queries.

Zola Ransomware Analysis

The emergence of novel ransomware strains has become commonplace for the last decade, with some of them increasing in sophistication and persistence, experimenting with new iterations, and evolving through rebranding, which encourages defenders to stay always on alert. Researchers at Acronis have recently uncovered Zola ransomware, a rebranded version of the Proton family, which popped up in early spring 2023.

Like its dozens of predecessors, Zola uses Mimikatz, diverse utilities for overcoming Windows Defender protections, and other offensive tools for the initial compromise. Zola also shares a similarity with the previous family strains in creating a mutex upon execution to prevent concurrent runs. However, the latest iteration stands out from its predecessors by featuring a kill switch that terminates processes upon detecting a Persian keyboard layout.

If the kill switch is not activated, Zola checks for admin rights and tricks the victim into running the executable with elevated privileges if verification is unsuccessful. Before encrypting files, Zola carries out several preparatory actions, including generating a unique victim ID and key data, emptying the Recycle Bin, modifying boot configuration, and deleting shadow copies to prevent recovery. It also targets diverse processes and services listed in its binary, including security software and other programs that might hinder encryption by locking files.

Once the preparatory actions are complete, Zola starts several threads to encrypt files and deposits a ransom note in each encrypted folder. Additionally, it changes the desktop wallpaper to display guidelines for the victim to email the adversaries with their unique ID.

Similarly to other Proton-based ransomware iterations, Zola retains a disk overwriting capability. Almost at the end of execution, it generates a temporary file under C:\, writing uninitialized data in 500 KB chunks until the disk is full, then deleting the file. This adversary method is intended to hinder antimalware analysis and data recovery by overwriting any remaining slack space on the disk.

The rise of new ransomware iterations, such as Zola, which maintains core features from earlier versions while introducing more advanced functions, demands more sophisticated ways to counter evolving threats. SOC Prime’s complete product suite for AI-powered detection engineering, automated threat hunting, and detection stack validation helps organizations evolve their defenses at scale, relying on the team and technology stack they already have.