Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ZCryptor Ransomware Spreads via Removable Drives

A large number of ransomware families have emerged over the past several months, and a new one is now making the rounds, Microsoft researchers warn.

A large number of ransomware families have emerged over the past several months, and a new one is now making the rounds, Microsoft researchers warn.

Dubbed Ransom:Win32/ZCryptor.A, the ransomware abuses infection vectors used by other malware, such as spam emails, macro malware, and fake installers. Unlike other ransomware families out there, however, this piece of malware also exhibits worm-like behavior, which allows it to self-propagate from a compromised machine.

For that, ZCryptor drops an autorun.inf file on removable drives, which allows it to infect the computers these drives are plugged into. Microsoft researchers explain that the malware also leverages network drives to propagate itself, and that it drops copies of itself in different locations and changes the file attributes to hide itself from the user in file explorer.

While analyzing the threat, researchers with security firm TrendMicro observed that it was designed to target Windows XP 64-bit computers and that it can also run on more recent versions of Windows such as Windows 7 and 8.

Once executed on the infected system, the malware ensures that it could run at startup by creating a registry key, then drops autorun.inf on removable drives, along with a zycrypt.lnk in the start-up folder. Next, the malware creates hidden copies of itself as {Drive}:system.exe and %appdata%zcrypt.exe.

The ransomware targets numerous file types, encrypts them and adds the .zcrypt extension to them, while also creating the zcrypt1.0 mutex on the infected machines, which is meant to denote that an instance of the malware is already running. The ransomware also connects to specific servers to exchange information with them, but researchers say that these servers were inactive during their analysis.

The ZCryptor ransomware asks for an initial 1.2 Bitcoin ransom, but the payment demand increases to 5 Bitcoin after four days of non-payment. However, paying is not an option when ransomware hits, as Jack Danahy, co-founder and CTO of the endpoint security company Barkly, explains in a SecurityWeek column. Instead, he explains, keeping data backed up helps users diminish the impact of ransomware infections.

Advertisement. Scroll to continue reading.

Ransomware has been around for a few years, but it has become one of the largest threats over the past several months, when numerous new variants have emerged. Ransomware targets all popular operating systems: Windows (families like Locky, Petya, or Samas), Mac OS X (KeRanger), Linux (Linux.Encoder), and Android (Lockdroid), as well as websites (KimcilWare).

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.