Infections now harder to control, contain, and mitigate

Zeoticus 2.0 ransomware raises stakes with C2-free execution, supercharged encryption to better lock files

The release of a more versatile and effective version of the Zeoticus ransomware has underlined the growing importance of attack prevention, a security researcher has concluded.

Unlike its predecessor, Zeoticus 2.0 can execute payloads without connectivity or remote commands, according to a malware analysis conducted by SentinelOne.

The ransomware strain, which first surfaced in early 2020, “will execute fully offline, with no dependence on a C2 (Command & Control)”, writes Jim Walter, senior threat researcher at the cybersecurity vendor, in a blog post.

Encryption express

Most Zeoticus 2.0 upgrades “are focused on speed and efficiency”, such as the employment of rapid encryption algorithms, which include the symmetric XChaCha20 algorithm and, on the asymmetric side, Poly1305, XSalsa20, and Curve25519.

The latest version can also discover and terminate encryption-disrupting processes, says Walter.

The pool and exploitable attack surface of potential targets has broadened too, with the malware now able to discover and infect remote drives compatible with all Windows OS lines and possibly even able to “run on Windows XP and earlier”.

Issued since late 2020, malware platform updates have also recently included “updates on file extension-based identification and performance around the prioritization and encryption of extremely large files”, says the researcher.

RE: Ransom note

Encrypted files are modified with extensions comprising the attacker’s contact email address and the string ‘2020END’.

Zeoticus mounts a new volume containing a ransom note that instructs victims “to contact the attacker via email as opposed to using an onion-based payment portal or similar”.

A copy of the ransom note is also dropped into the system drive root (such as C:\WINDOWS\README.html).


RECOMMENDED British Mensa website hacked after directors quit over ‘data protection failures’


By contrast, v1.0 altered the desktop wallpaper while presenting the ransom instructions instead of mounting a new volume.

The malware is designed not to function in Russia, Belarus, and Kyrgyzstan, says Walter, with its developers clearly mindful – like many of their CIS-based peers – of the potential “backlash from regional government and law enforcement agencies” in the region.

Execution, persistence

“Upon execution, pertinent files are identified based on extension”, while “the encryptable-extension list is fully customizable and in the control of the attacker”, notes the researcher.

After launching, the malware replicates itself with copies appearing in C:\Windows and %AppData%.

Zeoticus then destroys numerous running processes via taskkill.exe, and uses the ping command to redirect command output to >nul & del and facilitate deletion of its own binaries.

A WMI query subsequently gathers additional information about the local environment.

All Zeoticus samples, both v1.0 and v2.0, create a registry run key to achieve persistence, with the registry entry “set to launch an instance of the Zeoticus payload from C:\Windows”.

‘Visibility and education’

“Active ransomware infections are getting increasingly difficult to control, contain, and mitigate,” says Walter. This makes infection prevention “more important than ever given the difficulty of recovering from a catastrophic ransomware attack”.

“Visibility and education go a long way” in improving security posture, he adds.


Read more of the latest ransomware news


“A thorough and accurate understanding of the environment is key in prioritizing controls and reducing risk.”

End users should also be educated on attackers’ methods and encouraged to report suspicious activity, continues the researcher.

“Finally, ensure that all technological controls are installed and implemented properly, and are up to date with the latest patches,” he concludes.

The Daily Swig has contacted SentinelOne for further comment. We will update the article if and when we receive a response.


YOU MIGHT ALSO LIKE Multiple new flaws uncovered in SolarWinds software just weeks after high-profile supply chain attack