Home Ransomware Zcryptor Ransomware or Worm

Zcryptor Ransomware or Worm


Hugh number of Ransomware families have emerged over the past several months, and a new one is now causing havoc. Microsoft warns about Zcryptor – the first Ransomware version detected that has self-propagation features i.e it can spread on other machines on its own. It exhibits worm like behavior. It does this by copying itself on shared network drives or portable storage drives automatically. It also spreads via files which are macro support enabled. It is addition to Ransomware family which also has the ability to launch DDoS attacks while locking user’s computer.

It encrypts all files for eg Office and archive files, image, audio, movie files, log files, database files, APK files, Java source code files, etc and changes their extensions to .zcrypt, and pops up the ransom note (a HTML file that’s opened in the default browser).Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

ZCryptor drops an autorun.inf file on removable or storage drives, which allows it to infect the computers when these drives are plugged into another machines. It self propagates in such a way that it drops its copies in different locations and changes the file attributes so that it can remain unnoticed by the user.

Researchers explain that this kind of ransomware was designed to target windows XP 64 bit computers but it can also run and cause damage on most recent versions of windows like windows 7 and 8. This ransomware drops autorun.inf on removable drives, along with a zycrypt.lnk in the start-up folder. Next, the malware creates hidden copies of itself as:-

{Drive}:\system.exe and %appdata%\zcrypt.exe

The ZCryptor ransomware asks for an initial 1.2 Bitcoin ransom, but the payment demand increases to 5 Bitcoin after four days of non-payment. However, paying is not an option when ransomware hits. Backing up data helps user to minimize effect of ransomware infections. Also iof any portable drive is infected with this infection, it needs to be cleaned before using it on other machine.