The Proton ransomware family has undergone several iterations since it first emerged in March 2023, with the latest variant Zola including privilege escalation measures, a disk overwriting function and a keyboard language-based kill switch.
The Acronis Threat Research Unit recently encountered the new Zola variant during an incident response and performed an in-depth analysis published Monday. This latest version demonstrates the ransomware family’s pattern of constant code tweaks and rebranding.
“The appearance of new ransomware families every month has become an unfortunate norm in recent years. While some will appear as quickly as they fade out of existence, some establish an extended stay, and others simply change their virtual clothes,” the Acronis researchers wrote.
Zola kicks off attack with kill switch, admin privilege checks
The Zola variant of the Proton ransomware was first discovered by Acronis in May and bears similarities to another variant, called Ripa, that appeared on April 30.
The researchers noted that the Proton family uses commonplace hacking tools among ransomware actors, such as Mimikatz, ProcessHacker and various tools for disabling Windows Defender. The malware typically drops these tools in the Downloads, Music or 3D Objects directories on the target machine.
Another similarity between Zola and its predecessors is the creation of a mutex upon execution, which avoids concurrent executions; this hardcoded mutex remained unchanged between variants.
A unique feature of Zola and other recent variants is the presence of a kill switch that checks for a Persian keyboard layout and halts processes if this layout is identified.
“This kill switch might be indicative of the Proton family’s origins, but no further evidence was found to strengthen this assumption,” the researchers wrote.
If the kill switch is not triggered, the malware proceeds to check for admin privileges, and repeatedly prompts the user to run the executable as an administrator if the check fails.
This admin checking feature was also present in the original Proton sample, although a sub-family known as Shinra, observed in early April, lacks this functionality, suggesting that Zola represents a separate branch in Proton’s evolution.
Prior to encrypting files, Zola makes additional preparations, including generation of a unique victim ID and key information, emptying of the Recycle Bin, modification of boot configuration and deletion of shadow copies to prevent recovery.
Shadow copies are deleted using the vssadmin command via the ShellExecute API and the BCDEdit Windows tool was used to disable automatic repair force Windows to ignore all failures during the boot process.
Proton ransomware changes encryption scheme, lacks ransom note changes
The original Proton ransomware used elliptic-curve cryptography (ECC) and Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) to encrypt files, but an update in September 2023 switched to the ChaCha20 encryption scheme, which remains the case for the Zola variant.
However, the Zola ransom note remains largely unchanged from the original Proton ransom note, as seen on PCrisk’s removal guide, apart from a change in contact information. Notably, the ransom note still claims the use of AES and ECC, misleading the victim.
Prior to encryption, the malware attempts to kill 137 processes and 79 services listed in its binary, including various security software and other applications that may prevent encryption by locking multiple files.
Zola runs multiple encryption threads to encrypt files, including in network-attached drives with write access, and drops the ransom note under each encrypted folder. Meanwhile, the malware also changes the desktop wallpaper to a message instructing the victim to email the threat actor, along with victim’s unique ID.
Zola also retains a function that emerged among Proton variants in early April 2024, which spawns a temporary file under C:\ and fills up the disk by continuously writing uninitialized data in 500 KB chunks. This overwriting of slack space on the disk is suspected to serve as a way to make digital forensics and data recovery more difficult.
Not to be confused with PrOToN/Xorist ransomware
While the Proton ransomware family has spawned multiple variants and at least one subfamily, it is not to be confused with a similarly named ransomware known as PrOToN, which is part of the Xorist, or EnCiPhErEd, family.
PrOToN is described by PCrisk as a “ransomware-type program,” which first emerged around August 2023. Differences between the two “Proton” ransomware include differences in the encrypted file extension (.Proton or .kigatsu versus .PrOToN), ransom note format and threat actor contact information.
PrOToN also triggers an “Error” pop-up window displaying the ransom note text, which is a feature that is not present with Zola and other Proton variants.
A Xorist decryptor is available from Emsisoft, but this decryptor is not known to work against the PrOToN variant, according to PCrisk.
No known decryptor tool is available for the Proton family studied by Acronis.
