Zeon
Zeon is an in-house ransomware encryptor/name associated with the post-Conti ecosystem and early activity that later evolved into Royal ransomware.
Profile source: Mallory opens in a new tabZeon
Family profile
Zeon is an in-house ransomware encryptor/name associated with the post-Conti ecosystem and early activity that later evolved into Royal ransomware. Reporting cited in the content states Royal’s first known in-house encryptor was named Zeon, that Zeon-generated ransom notes were very similar to Conti’s, and that FBI/CISA assess Royal evolved from earlier iterations that used Zeon as a loader. Activity associated with Zeon was observed around September 2022, with some reporting noting possible related infrastructure activity as early as late January 2022. The malware is linked to actors from the Conti syndicate; multiple sources in the content describe Conti members fragmenting into successor groups including Zeon, and one report says the Russian-language collective rebranded under subgroups including Zeon, Black Basta, and Quantum. High-confidence behavioral detail in the provided content is limited specifically for Zeon itself, but in context it is tied to enterprise-targeting ransomware operations and the Royal/Conti lineage. No Zeon-specific indicators of compromise beyond the name and its association with Conti-like ransom notes are directly provided in the content.
Ransomware.live
Operational record
Reporting
Research mentioning Zeon
Ukrainian extradited from Ireland on Conti ransomware charges
...infiltrated or taken over other ransomware or cybercrime operations, including BlackCat, Black Basta, ZEON, Hello Kitty, Hive, AvosLocker, Quantum, BlackByte, Karakurt...
Details emerge on BlackSuit ransomware takedown
"Members of the Russian-language ransomware collective rebranded under three subgroups: Zeon, Black Basta and Quantum"
Germany doxxes Conti ransomware and TrickBot ring leader
The leaks ultimately expedited Conti's shutdown, with the cybercrime members moving to other operations or starting new gangs, including Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON.
Researchers link 3AM ransomware to Conti, Royal cybercrime gangs
This timeline of activity is in line with the one known for Zeon ransomware, which was observed in September 2022...
New Royal Ransomware emerges in multi-million dollar attacks
...the first being Zeon... which generated ransom notes very similar to Conti's.