Zoh Ransomware

The popularity of file-encryption Trojans has skyrocketed the past couple of years, and now they are one of the most popular hacking tools that cybercriminals use to extort their victims for money. One of the very popular file-locker families is the Dharma Ransomware – it has been used to craft hundreds of file-locker variants that share a lot of similarities. One of the latest members of the Dharma family is the Zoh Ransomware, and it is able to encrypt many of the files it finds on its victim’s hard drive swiftly.

The file types that the Zoh Ransomware targets are not unusual – Microsoft Office files, videos, images, archives, Adobe projects, databases, etc. Whenever the Zoh Ransomware takes a file hostage, it will add a new extension to the filename – ‘.id-.[restdoc@protonmail.com].zoh.’ Of course, the authors want to receive a hefty payment in exchange for the decryptor – their demands are found in the ransom note ‘FILES ENCRYPTED.txt’ that the ransomware delivers during the final stage of the attack.

It is not a surprise that the attackers want to use Bitcoin for the payment since this can ensure their anonymity and prevent the victim from reversing the payment order. However, this should be seen as a red flag since it means that there is nothing stopping the attackers from taking your money without offering anything in return. The suggestion is never to trust ransomware operators – remember that co-operating with them is an easy way to lose more than just your files.

The advice to users affected by the Zoh Ransomware’s attack is to remove the file-locker files by using a reputable anti-malware scanner. However, this is not enough for a full recovery, and the victims will still need to look for alternative file recovery options.