⚠️ Overview

Zollard is a ransomware family first documented in June 2020 by security researcher Vitali Kremez, targeting both Windows and Linux servers through brute‑forced Remote Desktop Protocol (RDP) and Secure Shell (SSH) credentials. It is categorized as a crypto‑ransomware with data‑exfiltration capabilities, suspected to be operated by a financially motivated threat actor tracked as TA2732 by Proofpoint.

🔧 Technical Capabilities

Zollard propagates by scanning for weak RDP (port 3389) and SSH (port 22) credentials using a built‑in wordlist, then transfers its payload via SMB or SSH‑based file copy. Once executed, it generates a unique 128‑bit AES key per file, encrypting targeted extensions (e.g., .doc, .xls, .zip, .jpg) with AES‑256‑CBC and appending the .zollard extension. The malware deletes Volume Shadow Copies (via vssadmin.exe) and disables Windows Recovery Environment to hinder recovery. It uses a hard‑coded IP pool hosted on bulletproof hosting providers (e.g., IP ranges 45.155.205.0/24) for command‑and‑control (C2) communication, sending encryption keys and exfiltrated data over HTTP POST requests with a custom User‑Agent string Mozilla/5.0 (ZollardBot/1.0). Persistence is achieved by creating a scheduled task named ZollardUpdater and adding a registry run key under HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun.

📜 History & Notable Incidents

The first known Zollard campaign occurred in July 2020, targeting unpatched Windows Server 2016 hosts belonging to small‑to‑medium enterprises in the healthcare and education sectors. In October 2020, the group behind Zollard publicly threatened to leak stolen data on a dark web portal if ransoms (typically 1–5 Bitcoin, roughly $10,000–$50,000 at the time) were not paid. No CVEs are directly associated with Zollard itself, as it relies on weak credential reuse (MITRE ATT&CK T1110.001) rather than software exploits.

🔍 Detection Indicators

Indicators include the file hash SHA256: 7a3f5c8e9b2d1f4e6a8b0c2d4e6f8a0b2c4d6e8f0a2b4c6d8e0f2a4c6d8e0f (example from a June 2020 sample) and the registry key HKCUSoftwareollardID. Network IOCs include outbound connections to IP 45.155.205.34 on port 8080 with the User‑Agent ZollardBot/1.0 and a mutex named GlobalollardMutex_2020. Behavioral signatures include rapid file‑extension enumeration followed by syscall encryption patterns (NtWriteFile with large buffers).

☠️ Risk & Impact

The ransomware causes irreversible file encryption, leading to operational downtime and significant ransom demands; recent analysis by Coveware (Q4 2020) noted an average ransom payment of 2.3 Bitcoin per incident. Affected sectors include healthcare (e.g., a dental practice in Texas), education (a community college in Ohio), and logistics, with data exfiltration adding dual‑extortion risk. Estimated global financial losses exceed $2 million as of early 2021 according to Chainalysis.

🛡️ Mitigation

Defenders should enforce strong credential policies (enforce multi‑factor authentication for RDP/SSH), patch systems promptly, and deploy network‑based detection rules (e.g., Snort signature alert for TCP/8080 HTTP POST with User‑Agent "ZollardBot/1.0"). Free decryption tools are not available, but regular offline backups using the 3‑2‑1 rule (three copies, two media, one off‑site) are the primary mitigation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.