Ransomware infections are on the rise as cybercriminals pen more sophisticated phishing emails and stuff Word macros with malicious code. According to a recent Microsoft security warning, however, there’s a new player in town: ZCryptor.

While most of the ransomware isn’t anything special, this strain has a dirty secret: It functions like a worm, with the ability to self-replicate across physical and network drives. Can victims wriggle free of this ransomworm?

Common Vector

As noted by Softpedia, the new malware strain isn’t doing anything revolutionary on the infection front. Attackers are using fake Adobe Flash installers and booby-trapped Office macros to lure in unsuspecting users and infect their PCs. Like most ransomware, it’s possible to avoid the issue by steering clear of strange-looking email attachments, disabling macros and only downloading software from trusted sites.

Once onboard, the malware drops a key in the PC registry so it can’t be easily removed and then begins encrypting files. According to the MalwareForMe blog — which first discovered ZCryptor on May 24 — the strain creates a “no disk in drive” pop-up to distract users while it communicates with C&C servers and searches for any one of 121 file types it can encrypt.

In the next stage, a splash screen says the PC is infected and demands 1.2 bitcoins (around $500) for decryption. After four days the ransom bumps up to 5 bitcoins, and attackers claim they will destroy the unique key needed to save any files in a week’s time.

ZCryptor Gets Creepy Crawly

What really sets ZCryptor apart, however, is the ability to self-replicate across removable and network drives. While other variants like Alpha ransomware are able to encrypt data in shared folders, this is the first reported case of ransomware actually copying itself to any attached drives.

If an infected drive is connected to a new computer, the ransomware automatically loads, infects and begins the process again. Analysis by Trend Micro confirmed Microsoft’s definition of the new strain as a worm, making it the world’s first recognized case of a ransomworm infection.

The problem? Worms are great at copying their code to new devices; consider, for example, a self-replicating variant that takes control of Ubiquiti routers and other firmware. When it comes to more complex operations such as file encryption and ransoms, however, worms don’t make a great choice — malware-makers prefer lighter and more agile deployments.

Now the creators of ZCryptor have managed to combine the breadth of worm infections with the sheer striking power of targeted malware. In other words? It’s a great day for attackers, but not so hot for victims and defenders.

There is a silver lining: As noted above, this strain isn’t hard to avoid, and the right antivirus solution should catch it at first burrow. But it’s a wake-up call for white hats. With a better attack vector, this code has the cybercriminal trifecta: It’s hard to see coming, quick to act and easy to replicate.

Bottom line? In the near future, ensuring clean PCs may demand regular de-worming.

More from

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Increasingly Sophisticated Cyberattacks Target Healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

4 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read