Zoneware Ransomware

The Zoneware Ransomware is an encryption Trojan that encrypts the victim's files to demand a ransom payment. When the Zoneware Ransomware finishes encrypting the files, they will be easy to recognize because the Zoneware Ransomware will add the file extension '.ZW' to each encrypted file. The Zoneware Ransomware delivers a ransom note after encrypting the victim's files, thus making them inaccessible. This ransom note may appear as a text file named 'Ransom Note.txt.' The Zoneware Ransomware, in its ransom note, demands a payment of 100 USD approximately through BitCoins so that the decryption key needed to recover the affected files can be provided. The Zoneware Ransomware claims that it will delete one random file on the victim's computer every hour until the ransom is paid. The most common way computer users can become infected with the Zoneware Ransomware is through spam email attachments that may take the form of Microsoft Office files with corrupted macro scripts that download and install the Zoneware Ransomware onto the victim's computer.

How the Zoneware Ransomware Attack Works

While spam email attachments are the most common way of spreading the Zoneware Ransomware, these attachments can take various forms. These forms include archives, links to online cloud services hosting the corrupted file, the Microsoft Office files mentioned above, bad Javascript files, different types of Windows script file and executable files. The key to these attacks is that social engineering tactics may be used to convince the victim that the attached file contains legitimate content, such as an invoice from a shipping company or a photo from a social media website. Once the Zoneware Ransomware has infected a computer, the Zoneware Ransomware will connect to its Command and Control server to share information about the infected computer and receive configuration data. The Zoneware Ransomware will install its harmful content in various directories on the infected computer, which may include the following:

• %AppData%
• %Local%
• %LocalLow%
• %Temp%
• %Windows%

The Zoneware Ransomware delivers a ransom note, which alerts the victim of the attack and demands the payment of a ransom fee after encrypting the victim's files. The ransom note associated with the Zoneware Ransomware reads:

'ZONEWARE
All your important files have been encrypted using military grade encryption algorithm. To decrypt them you need to obtain the private key from us. We are the only who can provide you the key, so don't try to recover the files by yourself, it will only make the situation worse for you. To get this key you have to send the exact amount 0.25376 BTC to the address that you can see on the left or it will not work.

The text note dropped by the Zoneware Ransomware delivers the following text:

'All of your files have been encrypted by The Zone ! If you dont see a gui your anti virus has most likely blocked it, so you just need to pay 80 usd worth of bitcoins to this bitcoin address: 34pSt66TD3AHkubVSQGzRXzdE5oYTFdRm1'

The Zoneware Ransomware will target the user-generated files in its attack. Some of the file types that will be encrypted in a Zoneware Ransomware attack include:

'PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG.'