Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ZCryptor Ransomware Spreads via Removable Drives

A large number of ransomware families have emerged over the past several months, and a new one is now making the rounds, Microsoft researchers warn.

A large number of ransomware families have emerged over the past several months, and a new one is now making the rounds, Microsoft researchers warn.

Dubbed Ransom:Win32/ZCryptor.A, the ransomware abuses infection vectors used by other malware, such as spam emails, macro malware, and fake installers. Unlike other ransomware families out there, however, this piece of malware also exhibits worm-like behavior, which allows it to self-propagate from a compromised machine.

For that, ZCryptor drops an autorun.inf file on removable drives, which allows it to infect the computers these drives are plugged into. Microsoft researchers explain that the malware also leverages network drives to propagate itself, and that it drops copies of itself in different locations and changes the file attributes to hide itself from the user in file explorer.

While analyzing the threat, researchers with security firm TrendMicro observed that it was designed to target Windows XP 64-bit computers and that it can also run on more recent versions of Windows such as Windows 7 and 8.

Once executed on the infected system, the malware ensures that it could run at startup by creating a registry key, then drops autorun.inf on removable drives, along with a zycrypt.lnk in the start-up folder. Next, the malware creates hidden copies of itself as {Drive}:system.exe and %appdata%zcrypt.exe.

The ransomware targets numerous file types, encrypts them and adds the .zcrypt extension to them, while also creating the zcrypt1.0 mutex on the infected machines, which is meant to denote that an instance of the malware is already running. The ransomware also connects to specific servers to exchange information with them, but researchers say that these servers were inactive during their analysis.

The ZCryptor ransomware asks for an initial 1.2 Bitcoin ransom, but the payment demand increases to 5 Bitcoin after four days of non-payment. However, paying is not an option when ransomware hits, as Jack Danahy, co-founder and CTO of the endpoint security company Barkly, explains in a SecurityWeek column. Instead, he explains, keeping data backed up helps users diminish the impact of ransomware infections.

Advertisement. Scroll to continue reading.

Ransomware has been around for a few years, but it has become one of the largest threats over the past several months, when numerous new variants have emerged. Ransomware targets all popular operating systems: Windows (families like Locky, Petya, or Samas), Mac OS X (KeRanger), Linux (Linux.Encoder), and Android (Lockdroid), as well as websites (KimcilWare).

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.