Ransomware or ransomworm? Beware of ZCryptor!

Ransomware displays worm-like behavior

David bisson
David Bisson

Ransomware or ransomworm? Beware of ZCryptor!

A new ransomware variant exhibits worm-like behavior, proving itself to be capable of copying itself to removable drives.

On May 26, Microsoft issued an alert warning users to be on the lookout for “ZCryptor.”

First detected by a security researcher named Jack on May 24, the ransomware infects users computers via malicious spam, malicious macros in Microsoft Office documents, and fake software installers.

Sign up to our free newsletter.
Security news, advice, and tips.

Upon successful installation, the ransomware proceeds to encrypt the unsuspecting user’s files.

Additionally, as Jack explains in a blog post, the ransomware attempts to distract the user from what is happening:

“When executed, the malware creates a pop-up that appears to be benign – likely to confuse a user while the malware talks to the command and control server and begins the encryption routine. The pop-up will continue to appear while the malware is running.”

Zcrypt popup

Microsoft notes in its alert that the ransomware currently targets 88 different file types for encryption. However, since the Redmond-based company issued its post, security researcher MalwareHunterTeam told Softpedia that he has seen some samples of ZCryptor targeting as many as 121 different file extensions, which suggests the malware may be being actively updated.

Once the encryption process is complete, ZCryptor reveals its ransom message in which it asks for US $500.

Zcrypt note

At this time, there is no known way for users affected by ZCryptor to recover their encrypted files for free, unless they have a secure backup of their data to hand.

Instead victims must pay the ransom fee, remove the malware and its files from their computers, and then scan their machines for additional malicious code, as outlined in an article by Trend Micro.

Only then will the users be safe from ZCryptor… right?


This ransomware has a secret. Before it even begins the encryption process, the crypto-malware drops “autorun.inf” on all attached removable drives, effectively creating a copy of itself on all USBs connected to the computer at the time of infection.

Ransom zcrpyt a bd

This propagation technique sets ZCryptor apart from other ransomware variants like Alpha, which is capable of encrypting files on shared folders only.

This newest ransomware may even invoke the notion of a “cryptoworm“, first articulated by Cisco security researcher William Largent back in April.

ZCryptor might be a harbinger of threats to come.

Fortunately, we can largely defend against it as we would other ransomware variants, such as by avoiding clicking on suspicious links and email attachments, disabling macros by default, downloading software from trusted sources only, maintaining secure backups, and running an up-to-date anti-virus product capable of scanning removable drives on our computers.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Ransomware or ransomworm? Beware of ZCryptor!”

  1. Joe P

    autorun.inf ? Would it help to make our own autorun.inf to put on all removable drives and make it hidden, system, and read only? At least that should protect our removable drives from being part of the infection vector.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.