Self-propagating ransomware spreading in the wild

Be careful, Microsoft is alerting all Windows users of a new type of a Self-propagating ransomware that exhibits worm-like behavior to propagate itself.

Microsoft is alerting all Windows users of a new type of ransomware that exhibits worm-like behavior.

“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.”  states Microsoft,

The Infection vector

Ransom:Win32/ZCryptor.A is spread through the spam email infection vector. It runs at start-up as soon as ZCryptor is executed.


zcrypt = {path of the executed malware}

In the start-up folder it drops zycrypt.lnk and autorun.inf in removable drives:

%User Startup%\zcrypt.lnk

It also changes the file attributes to be in Stealth mode from the user, also it makes a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe

For Example:  c:\users\administrator\appdata\roaming\zcrypt.exe

The Payload

It then displays the ransom note to users in an HTML file How to decrypt files.html

Later it encrypts files in your disk and then will change the file extension to .zcrypt (Eg. <originalfilename.zcrypt>)

Infected machines are observed to have zcrypt1.0 mutex which denotes that an instance of this ransomware is already running on the infected machine.

The connection has also been observed to the following URL. But the domain is already down while testing

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %APPDATA%\cid.ztxt

For example, c:\users\administrator\appdata\roaming\cid.ztxt

The warning issued by Microsoft also include information about Detection, Prevention, and Recovery from such kind of self-propagating ransomware

Written by: Imdadullah Mohammed

Author Bio: Imdad is an Information Security Consultant, He is also a Moderator for Pune Chapter of Null – The open security community in India and Also member of Garage4hackers. A true open source and Information Security enthusiast. His core area of expertise includes Vulnerability Assessment and Penetration Testing of the Web application, Mobile application and Networks, as well as Server Hardening.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

Thank you


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – self-propagating ransomware, malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

3 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

16 hours ago

Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly…

17 hours ago

US government sanctions twelve Kaspersky Lab executives

The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned twelve Kaspersky Lab executives for their…

1 day ago

Experts found a bug in the Linux version of RansomHub ransomware

The RansomHub ransomware operators added a Linux encryptor to their arsenal, the version targets VMware…

2 days ago

UEFICANHAZBUFFEROVERFLOW flaw in Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC and server models

A serious vulnerability (CVE-2024-0762) in the Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC…

3 days ago

This website uses cookies.