Zimba Ransomware
The Zimba Ransomware is classified as belonging to the infamous Dharma Ransomware malware family. The threat itself shows little meaningful modification when compared to the rest of the Dharma Ransomware variants. The two aspects that distinguish it the most are the hackers' email addresses and the specific extension used for the encrypted files.
When the Zimba Ransomware manages to sneak itself onto the targeted computer, it engages its encryption process and proceeds to lock a wide range of file types. Users will find that they can no longer access their MS Office documents, pictures, videos, PDFs, databases, etc. If the compromised computer held work-related projects, the consequences of the Zimba Ransomware attack could get even more severe.
Every file affected by the threat will have its original file name modified significantly. The Zimba Ransomware appends a unique ID for the victim, followed by an email address belonging to the hackers, and finally '.zimba' as a new extension. The email address used in the file names is 'backup@zimbabwe.su.' As a typical Dharma Ransomware variant, Zimba also delivers its ransom note in two forms - as text files named 'FILES ENCRYPTED.txt' that are dropped in every folder containing encrypted data and in a pop-up window displayed to the user.
The text files contain little useful information, as they simply tell the victims of the threat to initiate contact by sending a message to the same email address - backup@zimbabwe.su. The pop-up window has a longer message, but it also lacks some key details, such as the exact amount demanded by the hackers or if the payment must be made using one of the popular cryptocurrencies. In addition, no backup email address has been provided.
The full text of the Zimba Ransomware's note is:
'YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link: email backup@zimbabwe.su YOUR ID -
If you have not been answered via the link within 12 hours, write to us by email:backup@zimbabwe.su
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The 'FILES ENCRYPTED.txt' files state:
all your data has been locked us
You want to return?
write email backup@zimbabwe.su'
The ransom note’s message is clear – data on the computer is locked, and victims must contact criminals to arrange to have it unlocked. The text in the pop-up message offers more information about the attack and the overall situation for victims. This message clarifies that the files are encrypted. Victims are told that if they don’t receive a response from the attackers within 12 hours, they should send another email. The message ends with some warnings. Victims are told that attempting to rename the encrypted files or decrypt them with third-party software tools as such actions could cause permanent data loss.
Ransomware creators are not lying when they say it is impossible to decrypt the ransomware without their help. There are times it is possible, such as when the program has flaws that security researchers can exploit. No matter what, however, experts recommend you do not contact the criminals or pay them money. Victims do not get the tools or keys they pay for from criminals. Not only is the data on your computer still encrypted, but now you have no money either. Even if the criminals do send a tool or key, it might not work. Even worse, it could install additional malware on your computer.
Rather than paying the ransom and hoping for the best, we recommend you remove the virus instead. Removing Zimba from your computer won’t undo the encryption, but it does prevent it from happening again. You can use data backups on external hard drives or cloud storage to restore any damaged or missing files.
Ransomware programs like this encrypt data and demand payment from you. While there are many similar ransomware, they all have two fundamental differences; the encryption algorithm and the ransom demand size. We recommend keeping a regular backup of your data to protect yourself against Zimba and its ilk.
Table of Contents
Zimba Ransomware Sends Mixed Signals
Zimba is a member of the Dharma ransomware family. Dharma is generally used as part of ransomware-as-a-service campaigns like this. Zimba Ransomware appears to have some mixed signals and doesn’t know if it’s coming or going. Experts have seen several problems with the ransomware, outside of it having something of a nationality crisis and appearing to come from different regions. The ransomware has a typical payload of data disruption tools like other members of the Dharma family. The threat infects any Windows user no matter where they live, so where the virus comes from isn’t much of an issue.
Many of the features found in Zimba are similar to those seen with other ransomware-as-a-service programs. As mentioned, the virus attacks computers and locks data behind file encryption using an RSA-secured AES algorithm. The changes to the file name make it easy for victims to spot sabotaged files.
Both the virus’ name and the attacker’s email address appear to be themed around the nation of Zimbabwe. With that said, nothing else in the payload or in the messaging of the virus suggests Zimbabwean origins or targeting Zimbabwean people and businesses in particular. To make things more confusing, the virus uses a Soviet Union domain. This domain marks the virus as potentially coming from Russia as these domains are still used sporadically by Russian users and hacking groups.
This isn’t definitive proof that the ransomware has Russian origins, however. Other non-Russian threat actors use the SU domain used by the virus because it offers them some advantages, such as the outdated Terms of Use policies. The group behind Zimba could live anywhere in the world, just like they can attack anywhere in the world.
Getting to the Heart of the Matter
Hackers use Zimba ransomware to attack corporate networks and home users. Every Windows computer is at risk of being affected by this virus – and many others. It is worth your time to create data backups in case of an emergency. The more devices you have backups on, the better. Avoid relying too much on basic and vulnerable options such as System Restore points. Ransomware has programs and features to remove those backups to further coerce people into paying the ransom.
Some executable files used to drop Zimba ransomware on computers have Russian-sounding names, but experts lack any definitive proof to tie the virus to one particular region. It would be best if Windows users acted like they were always at risk of encryption-based threats like this no matter where they live. Avoid doing things that put your computer at risks, such as downloading unofficial updates, enabling scripts, and clicking on suspicious email links and attachments. Don’t forget to use strong passwords to stay safe when using social media and the like.
As long as you take the proper precautions to protect your computer, it is unlikely that Zimba ransomware will gain enough of a foothold to affect your computer. Most antivirus programs can detect and remove Zimba before it becomes a problem.
How Does Ransomware Get On Computers?
To go into more detail about how ransomware affects computers, their primary infection methods are spam emails, illegal activation tools, malicious downloads, and fake updates. Trojan viruses are another common infection point. These are small viruses designed to slip past antivirus programs and cause chain infections by downloading and installing additional malware on a computer.
Spam email campaigns involve attackers sending thousands of phishing emails to potential victims. The messages contain infected file attachments and links. These malicious files could be archive files, executable files, PDF files, or Office documents. The infection begins when the files are opened. This is why you should never open files you get from unknown sources – at least not without having an antivirus product scan them first.
Software activation tools, better known as cracks, are another way to spread malware. As people turn to torrenting and file-sharing to access paid software for free, hackers upload malware disguised as popular programs. They also create cracking tools that install malware rather than activate the software.
The internet is also filled with many opportunities to download malware mistakenly. Malware might be added to installers from third-party hosting sites, or they could be uploaded to freeware websites designed as legitimate programs. Malvertising, or malicious adverts that infect your computer when clicked on, present another risk to everyday internet users.
Keep your computer safe by practicing good digital hygiene; don’t open spam emails, don’t download software illegally, and don’t click on suspicious advertisements.
