Attacks with the Zola ransomware, which is the latest iteration of the Proton ransomware that initially appeared more than a year ago, have been launched since May, SC Media reports.
Despite also using Mimikatz and other hacking tools for initial compromise and creating a mutex following execution like its Proton ransomware predecessors, Zola has been updated to feature a kill switch that would terminate processes upon the detection of a Persian keyboard layout, according to an Acronis analysis.
Subsequent admin privilege checking, which was found in the original Proton payload but not in the Shinra sub-family discovered in April, was performed by Zola in systems without the keyboard layout. Zola also adopts the ChaCha20 encryption scheme initially introduced in Proton variants introduced last September, as well as disk overwriting functionality that was integrated into Proton in April. Such findings follow the emergence of the unrelated PrOToN/Xorist ransomware, which features different ransom notes, encrypted file extensions, and contact details.