June 1, 2016 By Douglas Bonderud 2 min read

Ransomware infections are on the rise as cybercriminals pen more sophisticated phishing emails and stuff Word macros with malicious code. According to a recent Microsoft security warning, however, there’s a new player in town: ZCryptor.

While most of the ransomware isn’t anything special, this strain has a dirty secret: It functions like a worm, with the ability to self-replicate across physical and network drives. Can victims wriggle free of this ransomworm?

Common Vector

As noted by Softpedia, the new malware strain isn’t doing anything revolutionary on the infection front. Attackers are using fake Adobe Flash installers and booby-trapped Office macros to lure in unsuspecting users and infect their PCs. Like most ransomware, it’s possible to avoid the issue by steering clear of strange-looking email attachments, disabling macros and only downloading software from trusted sites.

Once onboard, the malware drops a key in the PC registry so it can’t be easily removed and then begins encrypting files. According to the MalwareForMe blog — which first discovered ZCryptor on May 24 — the strain creates a “no disk in drive” pop-up to distract users while it communicates with C&C servers and searches for any one of 121 file types it can encrypt.

In the next stage, a splash screen says the PC is infected and demands 1.2 bitcoins (around $500) for decryption. After four days the ransom bumps up to 5 bitcoins, and attackers claim they will destroy the unique key needed to save any files in a week’s time.

ZCryptor Gets Creepy Crawly

What really sets ZCryptor apart, however, is the ability to self-replicate across removable and network drives. While other variants like Alpha ransomware are able to encrypt data in shared folders, this is the first reported case of ransomware actually copying itself to any attached drives.

If an infected drive is connected to a new computer, the ransomware automatically loads, infects and begins the process again. Analysis by Trend Micro confirmed Microsoft’s definition of the new strain as a worm, making it the world’s first recognized case of a ransomworm infection.

The problem? Worms are great at copying their code to new devices; consider, for example, a self-replicating variant that takes control of Ubiquiti routers and other firmware. When it comes to more complex operations such as file encryption and ransoms, however, worms don’t make a great choice — malware-makers prefer lighter and more agile deployments.

Now the creators of ZCryptor have managed to combine the breadth of worm infections with the sheer striking power of targeted malware. In other words? It’s a great day for attackers, but not so hot for victims and defenders.

There is a silver lining: As noted above, this strain isn’t hard to avoid, and the right antivirus solution should catch it at first burrow. But it’s a wake-up call for white hats. With a better attack vector, this code has the cybercriminal trifecta: It’s hard to see coming, quick to act and easy to replicate.

Bottom line? In the near future, ensuring clean PCs may demand regular de-worming.

More from

Crisis communication: What NOT to do

4 min read - Read the 1st blog in this series, Cybersecurity crisis communication: What to doWhen an organization experiences a cyberattack, tensions are high, customers are concerned and the business is typically not operating at full capacity. Every move you make at this point makes a difference to your company’s future, and even a seemingly small mistake can cause permanent reputational damage.Because of the stress and many moving parts that are involved, businesses often fall short when it comes to communication in a crisis.…

The future of cybersecurity: What to expect at Black Hat 2024

3 min read - The cybersecurity landscape continues to evolve at a breakneck pace. New threats emerge daily, and the stakes have never been higher, especially as artificial intelligence (AI) is infused into every aspect of business. As security and business leaders, it's crucial to stay ahead of the curve and ensure your organization is equipped to handle the ever-changing threat landscape. For over two decades, Black Hat has been the premier gathering of cybersecurity professionals, providing a platform for experts to share knowledge,…

Recent CrowdStrike outage: What you should know

3 min read - On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses. What caused this outage in Microsoft systems? The global outage of specific Microsoft-enabled systems and servers was isolated to…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today