Ransomware infections are on the rise as cybercriminals pen more sophisticated phishing emails and stuff Word macros with malicious code. According to a recent Microsoft security warning, however, there’s a new player in town: ZCryptor.

While most of the ransomware isn’t anything special, this strain has a dirty secret: It functions like a worm, with the ability to self-replicate across physical and network drives. Can victims wriggle free of this ransomworm?

Common Vector

As noted by Softpedia, the new malware strain isn’t doing anything revolutionary on the infection front. Attackers are using fake Adobe Flash installers and booby-trapped Office macros to lure in unsuspecting users and infect their PCs. Like most ransomware, it’s possible to avoid the issue by steering clear of strange-looking email attachments, disabling macros and only downloading software from trusted sites.

Once onboard, the malware drops a key in the PC registry so it can’t be easily removed and then begins encrypting files. According to the MalwareForMe blog — which first discovered ZCryptor on May 24 — the strain creates a “no disk in drive” pop-up to distract users while it communicates with C&C servers and searches for any one of 121 file types it can encrypt.

In the next stage, a splash screen says the PC is infected and demands 1.2 bitcoins (around $500) for decryption. After four days the ransom bumps up to 5 bitcoins, and attackers claim they will destroy the unique key needed to save any files in a week’s time.

ZCryptor Gets Creepy Crawly

What really sets ZCryptor apart, however, is the ability to self-replicate across removable and network drives. While other variants like Alpha ransomware are able to encrypt data in shared folders, this is the first reported case of ransomware actually copying itself to any attached drives.

If an infected drive is connected to a new computer, the ransomware automatically loads, infects and begins the process again. Analysis by Trend Micro confirmed Microsoft’s definition of the new strain as a worm, making it the world’s first recognized case of a ransomworm infection.

The problem? Worms are great at copying their code to new devices; consider, for example, a self-replicating variant that takes control of Ubiquiti routers and other firmware. When it comes to more complex operations such as file encryption and ransoms, however, worms don’t make a great choice — malware-makers prefer lighter and more agile deployments.

Now the creators of ZCryptor have managed to combine the breadth of worm infections with the sheer striking power of targeted malware. In other words? It’s a great day for attackers, but not so hot for victims and defenders.

There is a silver lining: As noted above, this strain isn’t hard to avoid, and the right antivirus solution should catch it at first burrow. But it’s a wake-up call for white hats. With a better attack vector, this code has the cybercriminal trifecta: It’s hard to see coming, quick to act and easy to replicate.

Bottom line? In the near future, ensuring clean PCs may demand regular de-worming.

More from

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…