Ransomware infections are on the rise as cybercriminals pen more sophisticated phishing emails and stuff Word macros with malicious code. According to a recent Microsoft security warning, however, there’s a new player in town: ZCryptor.

While most of the ransomware isn’t anything special, this strain has a dirty secret: It functions like a worm, with the ability to self-replicate across physical and network drives. Can victims wriggle free of this ransomworm?

Common Vector

As noted by Softpedia, the new malware strain isn’t doing anything revolutionary on the infection front. Attackers are using fake Adobe Flash installers and booby-trapped Office macros to lure in unsuspecting users and infect their PCs. Like most ransomware, it’s possible to avoid the issue by steering clear of strange-looking email attachments, disabling macros and only downloading software from trusted sites.

Once onboard, the malware drops a key in the PC registry so it can’t be easily removed and then begins encrypting files. According to the MalwareForMe blog — which first discovered ZCryptor on May 24 — the strain creates a “no disk in drive” pop-up to distract users while it communicates with C&C servers and searches for any one of 121 file types it can encrypt.

In the next stage, a splash screen says the PC is infected and demands 1.2 bitcoins (around $500) for decryption. After four days the ransom bumps up to 5 bitcoins, and attackers claim they will destroy the unique key needed to save any files in a week’s time.

ZCryptor Gets Creepy Crawly

What really sets ZCryptor apart, however, is the ability to self-replicate across removable and network drives. While other variants like Alpha ransomware are able to encrypt data in shared folders, this is the first reported case of ransomware actually copying itself to any attached drives.

If an infected drive is connected to a new computer, the ransomware automatically loads, infects and begins the process again. Analysis by Trend Micro confirmed Microsoft’s definition of the new strain as a worm, making it the world’s first recognized case of a ransomworm infection.

The problem? Worms are great at copying their code to new devices; consider, for example, a self-replicating variant that takes control of Ubiquiti routers and other firmware. When it comes to more complex operations such as file encryption and ransoms, however, worms don’t make a great choice — malware-makers prefer lighter and more agile deployments.

Now the creators of ZCryptor have managed to combine the breadth of worm infections with the sheer striking power of targeted malware. In other words? It’s a great day for attackers, but not so hot for victims and defenders.

There is a silver lining: As noted above, this strain isn’t hard to avoid, and the right antivirus solution should catch it at first burrow. But it’s a wake-up call for white hats. With a better attack vector, this code has the cybercriminal trifecta: It’s hard to see coming, quick to act and easy to replicate.

Bottom line? In the near future, ensuring clean PCs may demand regular de-worming.

More from

Vulnerability resolution enhanced by integrations

2 min read - Why speed is of the essence in today's cybersecurity landscape? How are you quickly achieving vulnerability resolution?Identifying vulnerabilities should be part of the daily process within an organization. It's an important piece of maintaining an organization’s security posture. However, the complicated nature of modern technologies — and the pace of change — often make vulnerability management a challenging task.In the past, many organizations had to support manual integration work to get different security systems to ‘talk’ to each other. As…

How I got started: SIEM engineer

2 min read - As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America.IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that X-Force…

Cost of a data breach 2023: Geographical breakdowns

4 min read - Data breaches can occur anywhere in the world, but they are historically more common in specific countries. Typically, countries with high internet usage and digital services are more prone to data breaches. To that end, IBM’s Cost of a Data Breach Report 2023 looked at 553 organizations of various sizes across 16 countries and geographic regions, and 17 industries. In the report, the top five costs of a data breach by country or region (measured in USD millions) for 2023…