A new ransomware variant exhibits worm-like behavior, proving itself to be capable of copying itself to removable drives.
On May 26, Microsoft issued an alert warning users to be on the lookout for “ZCryptor.”
First detected by a security researcher named Jack on May 24, the ransomware infects users computers via malicious spam, malicious macros in Microsoft Office documents, and fake software installers.
Upon successful installation, the ransomware proceeds to encrypt the unsuspecting user’s files.
Additionally, as Jack explains in a blog post, the ransomware attempts to distract the user from what is happening:
“When executed, the malware creates a pop-up that appears to be benign – likely to confuse a user while the malware talks to the command and control server and begins the encryption routine. The pop-up will continue to appear while the malware is running.”
Microsoft notes in its alert that the ransomware currently targets 88 different file types for encryption. However, since the Redmond-based company issued its post, security researcher MalwareHunterTeam told Softpedia that he has seen some samples of ZCryptor targeting as many as 121 different file extensions, which suggests the malware may be being actively updated.
Once the encryption process is complete, ZCryptor reveals its ransom message in which it asks for US $500.
At this time, there is no known way for users affected by ZCryptor to recover their encrypted files for free, unless they have a secure backup of their data to hand.
Instead victims must pay the ransom fee, remove the malware and its files from their computers, and then scan their machines for additional malicious code, as outlined in an article by Trend Micro.
Only then will the users be safe from ZCryptor… right?
Wrong!
This ransomware has a secret. Before it even begins the encryption process, the crypto-malware drops “autorun.inf” on all attached removable drives, effectively creating a copy of itself on all USBs connected to the computer at the time of infection.
This propagation technique sets ZCryptor apart from other ransomware variants like Alpha, which is capable of encrypting files on shared folders only.
This newest ransomware may even invoke the notion of a “cryptoworm“, first articulated by Cisco security researcher William Largent back in April.
ZCryptor might be a harbinger of threats to come.
Fortunately, we can largely defend against it as we would other ransomware variants, such as by avoiding clicking on suspicious links and email attachments, disabling macros by default, downloading software from trusted sources only, maintaining secure backups, and running an up-to-date anti-virus product capable of scanning removable drives on our computers.
autorun.inf ? Would it help to make our own autorun.inf to put on all removable drives and make it hidden, system, and read only? At least that should protect our removable drives from being part of the infection vector.