ZoNiSoNaL Ransomware

The ZoNiSoNaL Ransomware is a newly detected file-encrypting Trojan. Upon studying this newly detected threat, malware experts found that it belongs to the Xorist Ransomware family. Many authors of data-locking Trojans opt to base their creations on existing ransomware threats, as this is far easier than building a threat of this type from scratch.

Propagation and Encryption

Authors of ransomware threats often use phishing emails to propagate their threatening creations. They may consist of a bogus message, which would try and convince the target to launch a corrupted file attached to the email or open a corrupted link. Other infection vectors often include torrent trackers, fraudulent application downloads and updates, malvertising, fake copies of popular software tools, etc. Threats like the ZoNiSoNaL Ransomware are usually equipped with the ability to encrypt a large variety of filetypes so that they would ensure maximum damage on the infected host. This means that all the .mp3, .mp4, .mov, .jpeg, .jpg, .gif, .png, .doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .rar, .zip, etc.will be affected. Once the ZoNiSoNaL Ransomware encrypts a file, it also changes its filename. This is done by adding a ‘.ZoNiSoNaL’ extension to the end of the filename. For example, a file you called ‘eco-flag.pdf’ will be renamed to ‘eco-flag.pdf.ZoNiSoNaL’ after the encryption process has been completed.

The Ransom Note

In the next phase of the attack, the ZoNiSoNaL Ransomware would drop a ransom note to inform the victims of what has happened to their data. The name of the file, which contains the attackers’ ransom note, is ‘HOW TO DECRYPT FILES.txt.’ In the ransom message, the attackers state that they demand 0.14 BTC ($1,350 at the time of typing this post) as a ransom fee. They offer instructions on how to obtain Bitcoin for users who are unaware. The attackers provide an email address where they can be contacted – ‘zonis@gmx.com.’ However, the authors of the ZoNiSoNaL Ransomware do not provide any proof that they can unlock the victim’s files.

The good news is that your data may be decryptable for free via the Xorist Decryptor. It is worth searching for it online, as it may go a long way in recovering your data. It is crucial to note that you should first remove the ZoNiSoNaL Ransomware from your computer with the help of a trustworthy anti-virus software suite to prevent it from encrypting your files again.