A new trojan-ransomware has been discovered with improved attack capabilities, researchers believe. ZCryptor displays what has been described as “worm-like” capabilities, not only spreading to network drives, but also any removable drives.
This ransomware was first identified on 24th May by a researcher called Jack (who runs the blog MalwareForMe). Microsoft also noted the new infection said today, “We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior…(it) leverages removable and network drives to propagate itself and affect more users.”
So far, ZCryptor has been observed to be distributed using Office files with malware macros, and also using the popular method of presenting the victim with a fake Flash update. If either of these are clicked-on, the ransomware installs, first attaining Start Up persistence by making a key in the registry. Then it starts to encrypt files. The first sample targeted 88 different extensions – in a more recent sample analyzed, the ZCryptor was seen to search/encrypt 121 different file types, so the thought is that the author is updating on the go. On encryption, it adds the extension .zcrypt (hence the name).
ZCryptor caught the attention of both Microsoft and Trend Micro specifically with its “worm-like behavior”. Many ransomware variants spread to different network shares, especially ones that are increasingly used for targeting business. Despite this similarity (according to Trend Micro researchers), this variant does actually self-replicate in drives, including removable devices. This new way of working could be to speed up the infection, showing that malware authors keep working on their products too.
After encryption, a ransom demand is made (of 1.2 Bitcoin (BTC) – about $500 U.S), to be paid to an address which is found in a file generated with full instructions to purchase decryption. If the ransom is unpaid in four days, it increases to 5.0 BTC. After a week the author threatens to destroy the key, and the user looses the files.
On investigation of the details that were provided for the victim, it was found that the payment ‘site is currently down. Researchers also checked the Bitcoin address and so far the ransomware has not generated any money from victims.
It may be that this malware is on a trial run (this has been seen before), and ZCryptor is work-in-progress. The advice from the researchers is to be aware of how ransomware like ZCryptor is spread, keep systems and browsers current and patched and make regular backups to mitigate a ransomware attack.