A large number of ransomware families have emerged over the past several months, and a new one is now making the rounds, Microsoft researchers warn.
Dubbed Ransom:Win32/ZCryptor.A, the ransomware abuses infection vectors used by other malware, such as spam emails, macro malware, and fake installers. Unlike other ransomware families out there, however, this piece of malware also exhibits worm-like behavior, which allows it to self-propagate from a compromised machine.
For that, ZCryptor drops an autorun.inf file on removable drives, which allows it to infect the computers these drives are plugged into. Microsoft researchers explain that the malware also leverages network drives to propagate itself, and that it drops copies of itself in different locations and changes the file attributes to hide itself from the user in file explorer.
While analyzing the threat, researchers with security firm TrendMicro observed that it was designed to target Windows XP 64-bit computers and that it can also run on more recent versions of Windows such as Windows 7 and 8.
Once executed on the infected system, the malware ensures that it could run at startup by creating a registry key, then drops autorun.inf on removable drives, along with a zycrypt.lnk in the start-up folder. Next, the malware creates hidden copies of itself as {Drive}:system.exe and %appdata%zcrypt.exe.
The ransomware targets numerous file types, encrypts them and adds the .zcrypt extension to them, while also creating the zcrypt1.0 mutex on the infected machines, which is meant to denote that an instance of the malware is already running. The ransomware also connects to specific servers to exchange information with them, but researchers say that these servers were inactive during their analysis.
The ZCryptor ransomware asks for an initial 1.2 Bitcoin ransom, but the payment demand increases to 5 Bitcoin after four days of non-payment. However, paying is not an option when ransomware hits, as Jack Danahy, co-founder and CTO of the endpoint security company Barkly, explains in a SecurityWeek column. Instead, he explains, keeping data backed up helps users diminish the impact of ransomware infections.
Ransomware has been around for a few years, but it has become one of the largest threats over the past several months, when numerous new variants have emerged. Ransomware targets all popular operating systems: Windows (families like Locky, Petya, or Samas), Mac OS X (KeRanger), Linux (Linux.Encoder), and Android (Lockdroid), as well as websites (KimcilWare).
More from SecurityWeek News
- Threat Hunting Summit Virtual Event NOW LIVE
- Video: ESG – CISO’s Guide to an Emerging Risk Cornerstone
- Threat Modeling Firm IriusRisk Raises $29 Million
- SentinelOne Announces $100 Million Venture Fund
- Today: 2022 CISO Forum Virtual Event
- Cymulate Closes $70M Series D Funding Round
- SecurityWeek to Host CISO Forum Virtually September 13-14, 2022: Registration is Open
- Privilege Escalation Flaw Haunts VMware Tools
Latest News
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
