Zoh Ransomware

Recently, cybersecurity experts have uncovered a new file-locking Trojan called the Zoh Ransomware. When the Zoh Ransomware was studied, this threat revealed that it belongs to the Dharma (or also known as Crysis Ransomware) family. This is a ransomware family often used by cybercriminals to build their own data-encrypting Trojans on as they would have to put much less effort into it compared to building it from scratch.

It is not known with full certainty what propagation methods are employed in spreading this nasty threat, but it is being speculated that spam email campaigns, alongside faux software updates and pirated content may be involved. Once the Zoh Ransomware worms its way in a host, it would begin scanning it immediately. The goal of the scan is to find all the files, which the Zoh Ransomware was programmed to lock. After being located, the files will undergo the Zoh Ransomware's encryption process. When a file is encrypted, its name gets changed. The pattern that the Zoh Ransomware follows is the same as nearly all other file-locking Trojans, which are variants of the Dharma Ransomware, meaning that the '.id-.[restdoc@protonmail.com].zoh' is added at the end of the file name. It is likely that the ransom note, which the Zoh Ransomware drops on the victim's computer is named 'FILES ENCRYPTED.txt' as this is yet another pattern, which the variants of the Dharma Ransomware tend to follow. The attackers fail to mention what the ransom fee demanded is but instead urge the user to contact them on their email address – 'restdoc@protonmail.com'.

If you have happened to have fallen into the trap of the Zoh Ransomware we recommend you to stay away from the perpetrators and not get in touch with them as they may trick you into paying up the ransom fee and then not send the decryption key that they promise. What you can do instead is download and install an authentic anti-malware application and use it to wipe the Zoh Ransomware off your system once and for all.