ZILLA (Dharma) Ransomware

In today's digital age, protecting devices and data from malware threats is more crucial than ever. Ransomware, a particularly threatening type of malware, can render critical files inaccessible and disrupt personal and professional activities. Users must be vigilant and proactive in safeguarding their systems against such threats to avoid potential data loss, financial damage, and operational downtime.

An Overview of the ZILLA Ransomware

The ZILLA Ransomware is a recently discovered variant belonging to the notorious Dharma family. Once it infiltrates a system, ZILLA encrypts files, renames them, and displays ransom notes both as pop-ups and text files named 'ZILLA-INFO.txt.' This malware is designed to coerce victims into paying a ransom for the decryption of their files, using fear and urgency to manipulate them into compliance.

File Encryption and Renaming

Upon infection, ZILLA encrypts files and changes their names to include the victim's ID, the email address filezilla@cock.li, and the '.ZILLA' extension. For instance, a file originally named '1.png' will be renamed to '1.png.id-9ECFA84E.[filezilla@cock.li]. ZILLA'. This renaming pattern applies to all affected files, making it evident which files have been compromised.

Ransom Note Details

The ZILLA Ransomware presents its victims with a ransom note instructing them to contact the cybercriminals via email (filezilla@cock.li) and include their victim ID. If no response is received within 12 hours, victims are directed to reach out to an alternative email, filezilla@cyberfear.com. The note also offers a limited free decryption service for up to three files (less than 3MB each) to demonstrate the decryption capability, warning against renaming files or using third-party decryption tools due to the risk of permanent data loss.

Characteristics of the Dharma Ransomware Family

ZILLA is a part of the Dharma family, a group of ransomware known for several distinctive features:

Extensive File Encryption

The Dharma Ransomware encrypts files stored both locally and on network-shared drives, significantly increasing the scope of its impact.

System Disabling Tactics

To prevent victims from mitigating the damage, Dharma ransomware disables the system firewall and deletes Shadow Volume Copies, which are typically used for restoring previous versions of files.

Persistence Mechanisms

Dharma variants, including ZILLA, ensure their persistence on infected systems by copying themselves to the '%LOCALAPPDATA%' directory and registering with specific Run keys in the Windows registry. This allows the ransomware to execute each time the system starts.

Data Gathering and Exclusions

These ransomware variants also collect location data and can exclude certain predetermined locations from encryption, potentially to avoid detection or interference with specific regions.

Security Measures to Protect against Ransomware

Given the hazardous consequences of a ransomware attack, it is extremely necessary that users implement robust security measures to defend their devices and data:

• Regular Data Backups: Maintain routine backups of essential files on remote servers or offline storage devices. This ensures data can be restored without paying the ransom.
• Use of Anti-Malware Software: Employ reputable anti-malware software to reveal and block ransomware before it can cause harm.
• System and Software Updates: Regularly update operating systems and software to patch vulnerabilities that ransomware could exploit.
• Email and Web Security: Be cautious with email attachments and links, as ransomware often spreads through phishing emails. Use email filtering tools and Web security solutions to minimize the risk of exposure.
• Firewall and Intrusion Detection Systems: Configure firewalls and use intrusion detection systems to monitor and block suspicious network activity.
• Disable Remote Desktop Protocol (RDP): Disable RDP if it is not needed, or at least secure it with strong passwords and multi-factor authentication to prevent unauthorized access.
• User Training and Awareness: Educate users about the risks of ransomware and best practices for avoiding infection, such as recognizing phishing attempts and avoiding suspicious downloads.

Ransomware, particularly variants like ZILLA, significantly threatens data security. By understanding the mechanisms of ransomware and implementing comprehensive security measures, users can protect their systems and data from these harmful attacks. Regular backups, robust security software, and user vigilance are fundamental components of an effective defense strategy against ransomware.

The ransom note shown by the ZILLA Ransomware as a new window reads:

'ZILLA
Don't worry, you can return all your files!
If you want to restore them, write to the mail: filezilla@cock.li YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:filezilla@cyberfear.com
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 3Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The text file created by ZILLA Ransomware contains the following message from the attackers:

all your data has been locked us

You want to return?

write email filezilla@cock.li or filezilla@cyberfear.com'