Zenis Ransomware

[Orascu Vlad 1]

Hello

Can anyone tell me how is ESET treating the Zenis Ransomware threat?

Thank you

[Marcos 5,070]

If you are a registered user then yes, we will likely be able to decrypt files.

[Orascu Vlad 1]

Yes, I have a license for about 600 computers

[Marcos 5,070]

Please email samples[at]eset.com and provide:
- logs collected by ELC
- a handful of examples of encrypted documents

[Orascu Vlad 1]

Hello,

I do not have this problem yet, I was just trying to be proactive and see if I can do something to prevent it, such as maybe install an update to the product or something

Sorry if I did not explain myself clearly enaugh

[Marcos 5,070]

You can provide me with ELC logs for a review of your ESET configuration and I will tell you if there's anything you could do to improve protection. Also let me know if you use legitimate scripts (vbs, js, hta, ps) or if it's ok to block script execution with HIPS.

[itman 1,659]

Lock down RDP access.

Quote

As previously stated, we do not know how the Zenis Ransomware is currently being distributed. Based on the elusiveness of the ransomware samples and comments from infected people, it could be distributed via hacked Remote Desktop services.

https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/

Also according to bleepingcomputer.com, decryption of files is not possible.

Edited March 26, 2018 by itman

[Marcos 5,070]

18 minutes ago, itman said:

Also according to bleepingcomputer.com, decryption of files is not possible.

We've already decrypted files for several users

[bbahes 29]

30 minutes ago, Marcos said:

We've already decrypted files for several users

decrypted as protected or decrypted per customer request ?

[itman 1,659]

37 minutes ago, Marcos said:

We've already decrypted files for several users

I stand corrected. Read the bleepingcomputer.com thread on the ransomware and someone did develop a decryptor. Perhaps Eset is "Demonslay335"?

[Marcos 5,070]

I've heard from others that Demonslay335 is an admin.

 

[Orascu Vlad 1]

15 hours ago, Marcos said:

You can provide me with ELC logs for a review of your ESET configuration and I will tell you if there's anything you could do to improve protection. Also let me know if you use legitimate scripts (vbs, js, hta, ps) or if it's ok to block script execution with HIPS.

Hello Marcos

Please see attached logs and let me know if I have collected them correctly. 

eea_logs.zip

[Marcos 5,070]

5 minutes ago, Orascu Vlad said:

Please see attached logs and let me know if I have collected them correctly.

ESET is basically configured with default settings, ie. for maxim protection. I'd suggest removing all exclusions since each creates a potential security hole when otherwise recognized malware can run undetected in excluded folders. Use exclusions only as a last resort if certain issues cannot be resolved even with the assistance of customer care.

If you don't plan to use scripts, you can create HIPS rules for cscript.exe, wscript.exe, mshta.exe, jave.exe and powershell.exe that will block execution or ask when a script attempts to be executed.

[Marios Kontos 0]

I have been affected with Zenis Ransomware. How can I proceed to decrypt my files?

[itman 1,659]

3 hours ago, Marios Kontos said:

I have been affected with Zenis Ransomware. How can I proceed to decrypt my files?

Are you a registered Eset user? If not, I suggest you post your current situation in this bleepingcomputer.com thread: https://www.bleepingcomputer.com/forums/t/673319/zenis-ransomware-help-support-topic-zenis-zenis-instructionshtml/page-2?hl=%2Bzenis#entry4471645

Edited March 27, 2018 by itman

[itman 1,659]

22 hours ago, Marcos said:

I've heard from others that Demonslay335 is an admin.

Appears to be Michael Gillespie.

[Marios Kontos 0]

What do you mean register user, I am endpoint corporate client

[itman 1,659]

34 minutes ago, Marios Kontos said:

What do you mean register user, I am endpoint corporate client

See prior above posting by @Marcos pertaining to sample submission, ECL logs, and encrypted documents.

[Marios Kontos 0]

Find attached infected files. What else do you need?

Marios.rar

[khairulaizat92 9]

6 hours ago, Marios Kontos said:

Find attached infected files. What else do you need?

Marios.rar

Hi im just assisting them,  please also provide ELC (Eset Log Collector), You can look how to use it at Marcos signature how to use Eset Log Collector.

and another thing is which country are you from? called me old timer, but i do think have Eset Rep (Distributor or Related to ESET) to visit the case site to also access the situation might be in someway fasten the process.