Since its emergence in March 2023, the Proton ransomware family has shown a remarkable capacity for evolution, with the latest variant, Zola, highlighting significant advancements in its attack methodology. The Acronis Threat Research Unit recently analyzed Zola, revealing a myriad of new features including sophisticated privilege escalation measures, a unique disk overwriting capability, and a keyboard language-based kill switch.
Zola, discovered during an incident response in May, shares similarities with its predecessor Ripa, which surfaced just weeks earlier. Central to its operation is the effective use of widely recognized hacking tools, such as Mimikatz and ProcessHacker, to disable system defenses. Upon execution, Zola creates a mutex to prevent simultaneous infections, a tactic that persists across variants. A noteworthy addition in Zola is the kill switch that halts execution if a Persian keyboard layout is detected, potentially hinting at the origins of the Proton family.
If the kill switch does not activate, the ransomware proceeds with thorough checks for administrative privileges, repeatedly prompting the user to provide elevated permissions. Following the privilege checks, Zola sets the stage for encryption by generating unique identifiers for the victim, emptying the Recycle Bin, and deleting shadow copies to hinder recovery efforts. It utilizes the vssadmin command to eliminate these shadow copies and modifies boot configurations to bypass system recovery.
Zola marks a significant departure from earlier versions by employing ChaCha20 encryption instead of the original elliptic-curve and AES combinations. However, the ransom note remains largely unchanged, still falsely claiming the use of AES and ECC, which misleads victims. The ransomware seeks to disrupt operations aggressively, terminating 137 processes and 79 services that might impede file encryption. It deploys multiple encryption threads and targets network drives, meticulously dropping ransom notes in each affected folder while also altering the victim’s desktop wallpaper with instructions for contacting the attacker.
Another puzzling yet concerning feature of Zola is its ability to fill up disk space by continually writing uninitialized data, complicating potential data recovery and forensic analysis. This practice underscores a troubling trend in ransomware as threat actors become increasingly sophisticated.
Importantly, it is crucial to differentiate the Proton family from the similarly named PrOToN ransomware, which belongs to the Xorist family. The two families exhibit clear differences in file extensions, ransom note formats, and operational features, complicating the landscape further for victims and analysts alike.
As the threat posed by ransomware continues to evolve, the emergence of variants like Zola serves as a stark reminder of the necessity for organizations to maintain robust cybersecurity measures and remain vigilant against increasingly complex attacks. Unfortunately, as of now, there remains no known decryptor tool for the Proton family, leaving victims without recourse in reclaiming their data.