Security Experts:

ZCryptor Ransomware Spreads via Removable Drives

A large number of ransomware families have emerged over the past several months, and a new one is now making the rounds, Microsoft researchers warn.

Dubbed Ransom:Win32/ZCryptor.A, the ransomware abuses infection vectors used by other malware, such as spam emails, macro malware, and fake installers. Unlike other ransomware families out there, however, this piece of malware also exhibits worm-like behavior, which allows it to self-propagate from a compromised machine.

For that, ZCryptor drops an autorun.inf file on removable drives, which allows it to infect the computers these drives are plugged into. Microsoft researchers explain that the malware also leverages network drives to propagate itself, and that it drops copies of itself in different locations and changes the file attributes to hide itself from the user in file explorer.

While analyzing the threat, researchers with security firm TrendMicro observed that it was designed to target Windows XP 64-bit computers and that it can also run on more recent versions of Windows such as Windows 7 and 8.

Once executed on the infected system, the malware ensures that it could run at startup by creating a registry key, then drops autorun.inf on removable drives, along with a zycrypt.lnk in the start-up folder. Next, the malware creates hidden copies of itself as {Drive}:\system.exe and %appdata%\zcrypt.exe.

The ransomware targets numerous file types, encrypts them and adds the .zcrypt extension to them, while also creating the zcrypt1.0 mutex on the infected machines, which is meant to denote that an instance of the malware is already running. The ransomware also connects to specific servers to exchange information with them, but researchers say that these servers were inactive during their analysis.

The ZCryptor ransomware asks for an initial 1.2 Bitcoin ransom, but the payment demand increases to 5 Bitcoin after four days of non-payment. However, paying is not an option when ransomware hits, as Jack Danahy, co-founder and CTO of the endpoint security company Barkly, explains in a SecurityWeek column. Instead, he explains, keeping data backed up helps users diminish the impact of ransomware infections.

Ransomware has been around for a few years, but it has become one of the largest threats over the past several months, when numerous new variants have emerged. Ransomware targets all popular operating systems: Windows (families like Locky, Petya, or Samas), Mac OS X (KeRanger), Linux (Linux.Encoder), and Android (Lockdroid), as well as websites (KimcilWare).

view counter