The ZOZL Ransomware is a threat that according to analysis performed by cybersecurity researchers, is part of the Phobos Ransomware family. Typically, the variants belonging to the same family are almost completely identical, with the biggest difference being the file extension used by each specific variant to mark the files it encrypts.
ZOZL is not an exception. It utilizes a strong encryption process to lock the data of its victims. As part of the process, each affected file will have '.ZOZL' appended to its original name as a new extension. Upon encrypting all targeted file types, the ZOZL Ransomware will deliver two ransom notes to the breached device. The main message will be displayed in a pop-up window created via an 'info.hta' file, while the second note will be placed inside an 'info.txt' file.
The short of the two notes contains mainly contact information that victims are expected to use to contact the attackers. The message states that users should first try the email@example.com email. If they do not receive a response within 24 hours, users should try messaging the reserve email at 'firstname.lastname@example.org.'
The instructions found in the pop-up window provide more details. They make clear that the cybercriminals expect to be paid a ransom in Bitcoin, arguably the most widely-known cryptocurrency. The hackers also state that they are willing to unlock up to 5 files for free. The only requirements are the total size of the chosen files to be less than 4MB and for the individual files not to contain any valuable information.
The 'info.txt' note is:
'!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: email@example.com.
If we don't answer in 24h., send e-mail to this address: firstname.lastname@example.org'
The instructions in the pop-up window are:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'