Microsoft has recently given Windows users a new incentive to upgrade to Windows 10: A ransomware worm called ZCryptor. The new ransomware variant exhibits worm-like capabilities and is able to self-replicate and infecting multiple devices. The malicious file-encrypting software infection will not be prevented by upgrading to the latest version of Windows, although additional protections are included in the Windows 10 release to make infection more difficult.
The new ransomware variant, called ZCryptor.A, is primarily distributed via spam email messages containing malicious macros, although the Microsoft security advisory indicates the ransomware worm is also installed via fake installers such as those claiming to update Adobe Flash to the latest version.
If ZCryptor is installed, the ransomware searches for removable drives and installs an autorun.inf file on the device. When the drive is disconnected and connected to another computer, the ransomware is able to spread, infecting a new machine.
The ZCryptor ransomware worm is capable of encrypting 88 different file types according to the Microsoft advisory, although some samples have been detected that are capable of infecting as many as 121 different files types.
Once installed, the ransomware generates a fake Windows alert indicating a removable drive cannot be detected. The pop-up will continue to be displayed while the ransomware is running and is communicating with its command and control server. The purpose of the pop-up is unclear, although presumably this is generated to prompt the user to disconnect the drive. This could be a ploy to get the victim to connect the removable drive to a different computer thus spreading the infection.
The ransomware worm displays an HTML window explaining that all personal files on the computer have been encrypted. A ransom demand of 1.2 Bitcoin is demanded ($500) for the decryption key to unlock the infection. Victims are given 4 days to pay the ransom or the ransom demand increases to 5 Bitcoin. The attackers claim that after 7 days the unique decryption key will be permanently destroyed, and all encrypted files will remain permanently locked.
While anti-virus software developers have been able to find vulnerabilities in a number of other ransomware variants and develop fixes, no known fix currently exists for a ZCryptor infection. Victims will either have to restore all of their files from a backup or will have to pay the ransom. Of course, there is no guarantee that the attackers will make good on their promise and will supply a valid decryption key.
Ransomware Worm Represents Next Stage of Malware Development
Many organizations now employ web filtering solutions such as WebTitan to block malicious URLs containing exploit kits. By blocking these attack vectors, it is becoming harder for cybercriminals to infect computers.
Spam filters have similarly been developed to be much more efficient and effective at blocking malicious spam email. SpamTitan now blocks 99.97% of spam, making it much harder for malicious attachments and links to reach end users.
Due to the improved cybersecurity protections in place in many organizations, ransomware developers have had to develop new methods to spread infections. The development of ransomware that exhibits worm-like behavior does not come as a surprise. Security researchers believe that these ransomware worms are likely to become much more common and that self-propagating ransomware and malware will soon become the norm.