# Zeoticus 2.0 | Ransomware With No C2 Required **[labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/](https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/)** Jim Walter ## Overview Zeoticus ransomware first appeared for sale in various underground forums and markets in early 2020. Initially, the ransomware was offered as a complete custom build for an undisclosed fee. The ransomware is currently Windows-specific and, according to the developers, functions on all “supported versions of Windows”. Unusually, there are no connectivity requirements for the payloads to execute. Zeoticus ransomware will execute fully offline, with no dependence on a C2 (Command & Control). It is also worth noting that the malware is designed not to function in some regions, specifically [Russia, Belarus, and Kyrgyzstan. Like many other families, use within the CIS is discouraged](https://en.wikipedia.org/wiki/Commonwealth_of_Independent_States) in order to avoid any backlash from regional government and law enforcement agencies. ----- ## Zeoticus Development Since late 2020 and moving into early 2021, the vendor has continued to maintain and offer updates on the Zeoticus service. In December 2020, samples of Zeoticus 2.0 were observed and reported in the wild. Multiple researchers and security vendors began to take notice and analyze these updated samples ( e.g., tweet from @demonslay335) A recent public announcement includes updates on file extension-based identification and performance around the prioritization and encryption of extremely large files. ----- Most of the updates in Zeoticus 2.0 are focused on speed and efficiency. Specific encryption algorithms (both symmetric and asymmetric) have been employed based on their speed (e.g., [Poly1305 is used for signing the primary encryption key rather than something like](https://cr.yp.to/mac.html) SHA1). Other notable features include compatibility with “all lines of Windows OSs”, with some indications that the ransomware will even run on Windows XP and earlier. The ransomware also has the ability to discover and infect remote drives and to discover and terminate processes that could interfere with the encryption process. ## Execution and Persistence Upon execution, pertinent files are identified based on extension. The encryptable-extension list is fully customizable and in the control of the attacker. When launched, the malware makes a few copies of itself in the following locations: ``` C:Windows %AppData% ``` Following this, Zeoticus proceeds to kill off a number of running processes (via ``` taskkill.exe ) as follows: ``` ----- ``` sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe agntsvc.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe sqlservr.exe thebat64.exe thunderbird.exe winword.exe Wordpad.exe ``` Zeoticus utilizes the `ping command to facilitate the deletion of its own binaries, redirecting` the output of the command to `>nul & del to` [achieve this.](https://stackoverflow.com/questions/20329355/how-to-make-a-batch-file-delete-itself/20329529#20329529) ``` /c ping localhost -n 3 > nul & del %s ``` ----- The following WMI query is then issued to gather additional information about the local environment: ``` start iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, threadcount, workingsetsize, kernelmodetime, usermodetime, parentprocessid from win32_process where ( caption = "msftesql.exe" or caption = "sqlagent.exe" or caption = "sqlbrowser.exe" or caption = "sqlservr.exe" or caption = "sqlwriter.exe" or caption = "oracle.exe" or caption = "ocssd.exe" or caption = "dbsnmp.exe" or caption = "synctime.exe" or caption = "mydesktopqos.exe" or caption = "agntsvc.exe" or caption = "isqlplussvc.exe" or caption = "xfssvccon.exe" or caption = "mydesktopservice.exe" or caption = "ocautoupds.exe" or caption = "agntsvc.exe" or caption = "agntsvc.exe" or caption = "agntsvc.exe" or caption = "encsvc.exe" or caption = "firefoxconfig.exe" or caption = "tbirdconfig.exe" or caption = "ocomm.exe" or caption = "mysqld.exe" or caption = "mysqld-nt.exe" or caption = "mysqld-opt.exe" or caption = "dbeng50.exe" or caption = "sqbcoreservice.exe" or caption = "excel.exe" or caption = "infopath.exe" or caption = "msaccess.exe" or caption = "mspub.exe" or caption = "onenote.exe" or caption = "outlook.exe" or caption = "powerpnt.exe" or caption = "sqlservr.exe" or caption = "thebat64.exe" or caption = "thunderbird.exe" or caption = "winword.exe" or caption = "wordpad.exe") ``` ----- All samples analyzed across Zeoticus 1.0 and 2.0 create the Registry Run key to achieve persistence: ``` REGISTRYUSER----SoftwareMicrosoftWindowsCurrentVersionRun ``` The registry entry (Run) is set to launch an instance of the Zeoticus payload from ``` C:Windows : ## Encryption and Ransom Note ``` [The ransomware uses a combination of asymmetric and symmetric encryption. XChaCha20](https://libsodium.gitbook.io/doc/advanced/stream_ciphers/xchacha20) [is utilized on the symmetric side, while the combination of Poly1305,](https://cr.yp.to/mac.html) [XSalsa20 and](https://libsodium.gitbook.io/doc/advanced/stream_ciphers/xsalsa20) [Curve25519 is used for the asymmetric side.](https://cr.yp.to/ecdh.html) Encrypted files are modified with extensions that include the contact email address of the attacker(s) along with the string “2020END”, which is no doubt a reference to the new year. In parallel with the encryption of the host’s data, Zeoticus mounts a new volume which contains the ransom note. Victims are instructed to contact the attacker via email as opposed to using an onion-based payment portal or similar. Additionally, the ransomware will drop a copy of the ransom note to the root of the system drive ( e.g., `C:WINDOWSREADME.html ).` ----- ----- This is one of the more noticeable differences between Zeoticus 2.0 and 1.0. That is, in v1.0, the desktop wallpaper was actually altered with the victim instructions as opposed to mounting the new volume. ----- ## Conclusion Attackers are continuing to improve upon their techniques and tactics. Active ransomware infections are getting increasingly difficult to control, contain, and mitigate. Prevention of these attacks is more important than ever given the difficulty of recovering from a catastrophic ransomware attack. We encourage all to review their security posture and take any necessary steps to improve their protections and reduce their overall exposure. Visibility and education go a long way here. A thorough and accurate understanding of the environment is key in prioritizing controls and reducing risk. It is also important to educate end users on the methods used by these attackers, and encourage them to report any suspicious activity they observe. Finally, ensure that all technological controls are installed and implemented properly, and are up to date with the latest patches. ## IOCs **SHA256** 33703e94572bca90070f00105c7008ed85d26610a7083de8f5760525bdc110a6 279d73e673463e42a1f37199a30b3deff6b201b8a7edf94f9d6fb5ce2f9f7f34 **SHA1** 25082dee3a4bc00caf29e806d55ded5e080c05fa d3449118b7ca870e6b9706f7e2e4e3b2d2764f7b ----- **MITRE ATT&CK** [Data from Local System – T1005](https://attack.mitre.org/techniques/T1005/) [Credentials from Password Stores – T1555](https://attack.mitre.org/techniques/T1555/) Modify Registry – [T1112](https://attack.mitre.org/techniques/T1112/) [Query Registry – T1012](https://attack.mitre.org/techniques/T1012/) [Remote System Discovery – T1018](https://attack.mitre.org/techniques/T1018/) [System Information Discovery – T1082](https://attack.mitre.org/techniques/T1082/) [Peripheral Device Discovery – T1120](https://attack.mitre.org/techniques/T1120/) [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001](https://attack.mitre.org/techniques/T1547/001/) Data Encrypted for Impact – [T1486](https://attack.mitre.org/techniques/T1486/) -----