The Zeal0t's cryptoware has a particular network signature that can be used as an "Indicator of Compromise" (IOC). This indicator is unique to the cryptoware, so it can be used to indicate that a system has been infected by the cryptoware, or the cryptoware attempted to infect it.
Enter the IOC as the flag: Example
We performed dynamic analysis and observed the binary making a request to
http://insidious.deadface[.]io/zealotcrypt-aes-key.txt with a very descriptive User-Agent:
GET /zealotcrypt-aes-key.txt HTTP/1.1 Host: insidious.deadface.io User-Agent: DEADFACE_LLABS_CRYPTOWARE/6.69 Accept-Encoding: gzip
The accepted flag was,