Zemblax Ransomware
The Zemblax Ransomware is a new data-locking threat that targets innocent users online. It would appear that its authors have relied on the JigSaw Ransomware project to build the Zemblax Ransomware. The positive side is that many of the variants of the JigSaw Ransomware are decryptable for free, which means that if you have fallen victim to the Zemblax Ransomware, you may be able to decrypt your data free of charge using a publicly available decryption tool.
Table of Contents
Zemblax Uses Weaponized Spreadsheets
Unfortunately, we are unable to share an example of what the phishing email looks like at this time. There are no screenshots available. However, the attachment to the email resembles bank transfers, business inquiries, personal invoices, and other such official documents.
The campaign takes advantage of Excel spreadsheets in particular, with spreadsheets named things like Invoice for Payment, Swift, and Orders. The threat actors put together spreadsheets that look more legitimate than your average phishing scam, making it more difficult to tell you are being scammed.
Propagation and Encryption
The Zemblax Ransomware is being distributed via fake emails. This is a commonly utilized infection vector used by countless cyber crooks like the authors of the Zemblax Ransomware. It would appear that the creators of the Zemblax Ransomware are tailoring the bogus emails to look legitimate. The fake emails propagating the Zemblax Ransomware often appear to contain important information such as job offers, invoices, bank transfer information, etc. The creators of the Zemblax Ransomware appear to use Microsoft Excel files to propagate this file-locking Trojan mainly. The corrupted files in question are macro-laced and will infiltrate the user’s computer as soon as they are opened. The Zemblax Ransomware will likely encrypt all the files present on your computer. All the newly locked files will be renamed because the Zemblax Ransomware adds a new extension at the end of filenames – ‘.zemblax.’ For example, a file that was originally named ‘milk-chocolate.mov’ will be renamed to ‘milk-chocolate.mov.zemblax.’ Interestingly enough, the attackers are not only deploying the Zemblax Ransomware to the compromised machines but another threat also – the LokiBot malware. Cybersecurity researchers theorize that the authors of the Zemblax Ransomware would use the LokiBot malware to collect sensitive information from the targeted host.
The campaign was discovered by the security researcher James, who said that the attachments are weaponized with LCG kit to exploit the old CVE-2017-11882 vulnerability in Equation Editor. If the exploit works, then the infected computer downloads malware and executes it.
The malware has since been removed from the remote site, but James did confirm the file in question - cjjjjjjjjjjjjjjjjjjj.exe – is indeed LokiBot.
The LokiBot virus steals login credentials from browsers, mail apps, FTP, and terminal programs. The information is sent to the command and control server, where the attacker collects it.
The Ransom Note
The Zemblax Ransomware would drop a ransom note on the system of the targeted user. The note is in the shape of a new window, which provides users with some basic information:
- The attackers can be contacted via email – ‘zemblax@protonmail.com.’
- The ransom fee demanded is $50 in the shape of Bitcoin.
- The attackers claim that the ransom fee would double after 24 hours.
- Every hour the attackers would delete one file.
As if LokiBot wasn’t bad enough, the virus has also been configured to install the Jigsaw Ransomware. The variant used in the attack uses the iconic Salvadore Dali mask from the show Money Heist as part of its message, shown below;
All Your Files Has Been Locked!
your personal files are being deleted. your photos, videos, documents, etc...
But All of your files were protected by a strong encryption.
This means that we can decrypt all your files after paying the ransom.
Every hour I select some of them to delete permanently,
you Have Iday to Decide to Pay .
after 1 Day Decryption Price will Be Double.
During the first 24 hour you will only lose a few files,
the second day a
The Jigsaw Ransomware encrypts files on the computer and gives them the .zemblax file extension as a sign of infection.
The good news for victims is that it is easy to decrypt Jigsaw ransomware. Don’t worry too much if you get hit by Jigsaw and instead look for a public decryption key or decryption software. The bad news is that it is true Jigsaw periodically deletes files over time.
Make sure that you quickly disable the drpbx.exe process through Task Manager to prevent Jigsaw from removing files as you get to work. Remove the virus from your computer as quickly as possible to prevent further encryption and then restore any lost data through a backup.
Given that the phishing campaign takes advantage of weaponized spreadsheets using an old Excel vulnerability, you should be fine as long as you keep Office updated and have a robust security solution on your computer.
It is recommended to avoid paying up cybercriminals. Make sure to remove the Zemblax Ransomware (and the LokiBot malware) from your machine with the help of a legitimate anti-malware solution. Next, you can try to recover your data by utilizing the JigSaw Ransomware decryption tool, which is available online freely. Furthermore, do not forget to change your passwords as the LokiBot threat may have collected your login credentials and allow the attackers to hijack your profiles online.
