Skip to content
Ransomware group

Zeon

Zeon is an in-house ransomware encryptor/name associated with the post-Conti ecosystem and early activity that later evolved into Royal ransomware.

Profile source: Mallory opens in a new tab

Zeon

Family profile

Zeon is an in-house ransomware encryptor/name associated with the post-Conti ecosystem and early activity that later evolved into Royal ransomware. Reporting cited in the content states Royal’s first known in-house encryptor was named Zeon, that Zeon-generated ransom notes were very similar to Conti’s, and that FBI/CISA assess Royal evolved from earlier iterations that used Zeon as a loader. Activity associated with Zeon was observed around September 2022, with some reporting noting possible related infrastructure activity as early as late January 2022. The malware is linked to actors from the Conti syndicate; multiple sources in the content describe Conti members fragmenting into successor groups including Zeon, and one report says the Russian-language collective rebranded under subgroups including Zeon, Black Basta, and Quantum. High-confidence behavioral detail in the provided content is limited specifically for Zeon itself, but in context it is tied to enterprise-targeting ransomware operations and the Royal/Conti lineage. No Zeon-specific indicators of compromise beyond the name and its association with Conti-like ransom notes are directly provided in the content.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning Zeon

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.