{
	"id": "d41b426f-848c-49c6-bc98-0b8a107130cb",
	"created_at": "2026-04-06T00:10:44.966026Z",
	"updated_at": "2026-04-10T13:11:44.294721Z",
	"deleted_at": null,
	"sha1_hash": "e93f21c778782e3d150eb88bee946e1e89e651dc",
	"title": "Zeoticus 2.0 | Ransomware With No C2 Required - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2170572,
	"plain_text": "Zeoticus 2.0 | Ransomware With No C2 Required - SentinelLabs\r\nBy Jim Walter\r\nPublished: 2021-02-03 · Archived: 2026-04-05 21:09:24 UTC\r\nOverview\r\nZeoticus ransomware first appeared for sale in various underground forums and markets in early 2020. Initially,\r\nthe ransomware was offered as a complete custom build for an undisclosed fee. The ransomware is currently\r\nWindows-specific and, according to the developers, functions on all “supported versions of Windows”.\r\nUnusually, there are no connectivity requirements for the payloads to execute. Zeoticus ransomware will execute\r\nfully offline, with no dependence on a C2 (Command \u0026 Control). It is also worth noting that the malware is\r\ndesigned not to function in some regions, specifically Russia, Belarus, and Kyrgyzstan. Like many other families,\r\nuse within the CIS is discouraged in order to avoid any backlash from regional government and law enforcement\r\nagencies.\r\nZeoticus Development\r\nSince late 2020 and moving into early 2021, the vendor has continued to maintain and offer updates on the\r\nZeoticus service.\r\nIn December 2020, samples of Zeoticus 2.0 were observed and reported in the wild. Multiple researchers and\r\nsecurity vendors began to take notice and analyze these updated samples ( e.g., tweet from @demonslay335)\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 1 of 9\n\nA recent public announcement includes updates on file extension-based identification and performance around the\r\nprioritization and encryption of extremely large files.\r\nMost of the updates in Zeoticus 2.0 are focused on speed and efficiency. Specific encryption algorithms (both\r\nsymmetric and asymmetric) have been employed based on their speed (e.g., Poly1305 is used for signing the\r\nprimary encryption key rather than something like SHA1).\r\nOther notable features include compatibility with “all lines of Windows OSs”, with some indications that the\r\nransomware will even run on Windows XP and earlier.\r\nThe ransomware also has the ability to discover and infect remote drives and to discover and terminate processes\r\nthat could interfere with the encryption process.\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 2 of 9\n\nExecution and Persistence\r\nUpon execution, pertinent files are identified based on extension. The encryptable-extension list is fully\r\ncustomizable and in the control of the attacker.\r\nWhen launched, the malware makes a few copies of itself in the following locations:\r\nC:Windows\r\n%AppData%\r\nFollowing this, Zeoticus proceeds to kill off a number of running processes (via taskkill.exe ) as follows:\r\nsqlagent.exe\r\nsqlbrowser.exe\r\nsqlservr.exe\r\nsqlwriter.exe\r\noracle.exe\r\nocssd.exe\r\ndbsnmp.exe\r\nsynctime.exe\r\nmydesktopqos.exe\r\nagntsvc.exe\r\nisqlplussvc.exe\r\nxfssvccon.exe\r\nmydesktopservice.exe\r\nocautoupds.exe\r\nagntsvc.exe\r\nagntsvc.exe\r\nagntsvc.exe\r\nencsvc.exe\r\nfirefoxconfig.exe\r\ntbirdconfig.exe\r\nocomm.exe\r\nmysqld.exe\r\nmysqld-nt.exe\r\nmysqld-opt.exe\r\ndbeng50.exe\r\nsqbcoreservice.exe\r\nexcel.exe\r\ninfopath.exe\r\nmsaccess.exe\r\nmspub.exe\r\nonenote.exe\r\noutlook.exe\r\npowerpnt.exe\r\nsqlservr.exe\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 3 of 9\n\nthebat64.exe\r\nthunderbird.exe\r\nwinword.exe\r\nWordpad.exe\r\nZeoticus utilizes the ping command to facilitate the deletion of its own binaries, redirecting the output of the\r\ncommand to \u003enul \u0026 del to achieve this.\r\n/c ping localhost -n 3 \u003e nul \u0026 del %s\r\nThe following WMI query is then issued to gather additional information about the local environment:\r\nstart iwbemservices::execquery - rootcimv2 : select __path, processid, csname, caption, sessionid, th\r\nAll samples analyzed across Zeoticus 1.0 and 2.0 create the Registry Run key to achieve persistence:\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 4 of 9\n\nREGISTRYUSER----SoftwareMicrosoftWindowsCurrentVersionRun\r\nThe registry entry (Run) is set to launch an instance of the Zeoticus payload from C:Windows :\r\nEncryption and Ransom Note\r\nThe ransomware uses a combination of asymmetric and symmetric encryption. XChaCha20 is utilized on the\r\nsymmetric side, while the combination of Poly1305, XSalsa20 and Curve25519 is used for the asymmetric side.\r\nEncrypted files are modified with extensions that include the contact email address of the attacker(s) along with\r\nthe string “2020END”, which is no doubt a reference to the new year.\r\nIn parallel with the encryption of the host’s data, Zeoticus mounts a new volume which contains the ransom note.\r\nVictims are instructed to contact the attacker via email as opposed to using an onion-based payment portal or\r\nsimilar. Additionally, the ransomware will drop a copy of the ransom note to the root of the system drive ( e.g.,\r\nC:WINDOWSREADME.html ).\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 5 of 9\n\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 6 of 9\n\nThis is one of the more noticeable differences between Zeoticus 2.0 and 1.0.  That is, in v1.0, the desktop\r\nwallpaper was actually altered with the victim instructions as opposed to mounting the new volume.\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 7 of 9\n\nConclusion\r\nAttackers are continuing to improve upon their techniques and tactics. Active ransomware infections are getting\r\nincreasingly difficult to control, contain, and mitigate. Prevention of these attacks is more important than ever\r\ngiven the difficulty of recovering from a catastrophic ransomware attack. We encourage all to review their security\r\nposture and take any necessary steps to improve their protections and reduce their overall exposure. Visibility and\r\neducation go a long way here. A thorough and accurate understanding of the environment is key in prioritizing\r\ncontrols and reducing risk. It is also important to educate end users on the methods used by these attackers, and\r\nencourage them to report any suspicious activity they observe. Finally, ensure that all technological controls are\r\ninstalled and implemented properly, and are up to date with the latest patches.\r\nIOCs\r\nSHA256\r\n33703e94572bca90070f00105c7008ed85d26610a7083de8f5760525bdc110a6\r\n279d73e673463e42a1f37199a30b3deff6b201b8a7edf94f9d6fb5ce2f9f7f34\r\nSHA1\r\n25082dee3a4bc00caf29e806d55ded5e080c05fa\r\nd3449118b7ca870e6b9706f7e2e4e3b2d2764f7b\r\nMITRE ATT\u0026CK\r\nData from Local System – T1005\r\nCredentials from Password Stores – T1555\r\nModify Registry – T1112\r\nQuery Registry – T1012\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 8 of 9\n\nRemote System Discovery – T1018\r\nSystem Information Discovery – T1082\r\nPeripheral Device Discovery – T1120\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001\r\nData Encrypted for Impact – T1486\r\nSource: https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nhttps://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/"
	],
	"report_names": [
		"zeoticus-2-0-ransomware-with-no-c2-required"
	],
	"threat_actors": [],
	"ts_created_at": 1775434244,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e93f21c778782e3d150eb88bee946e1e89e651dc.pdf",
		"text": "https://archive.orkl.eu/e93f21c778782e3d150eb88bee946e1e89e651dc.txt",
		"img": "https://archive.orkl.eu/e93f21c778782e3d150eb88bee946e1e89e651dc.jpg"
	}
}