Microsoft is alerting all Windows users of a new type of ransomware that exhibits worm-like behavior.
“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.” states Microsoft,
The Infection vector
Ransom:Win32/ZCryptor.A is spread through the spam email infection vector. It runs at start-up as soon as ZCryptor is executed.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
zcrypt = {path of the executed malware}
In the start-up folder it drops zycrypt.lnk and autorun.inf in removable drives:
%User Startup%\zcrypt.lnk
It also changes the file attributes to be in Stealth mode from the user, also it makes a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe
For Example: c:\users\administrator\appdata\roaming\zcrypt.exe
The Payload
It then displays the ransom note to users in an HTML file How to decrypt files.html
Later it encrypts files in your disk and then will change the file extension to .zcrypt (Eg. <originalfilename.zcrypt>)
Infected machines are observed to have zcrypt1.0 mutex which denotes that an instance of this ransomware is already running on the infected machine.
The connection has also been observed to the following URL. But the domain is already down while testing
http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %APPDATA%\cid.ztxt
For example, c:\users\administrator\appdata\roaming\cid.ztxt
The warning issued by Microsoft also include information about Detection, Prevention, and Recovery from such kind of self-propagating ransomware
Author Bio: Imdad is an Information Security Consultant, He is also a Moderator for Pune Chapter of Null – The open security community in India and Also member of Garage4hackers. A true open source and Information Security enthusiast. His core area of expertise includes Vulnerability Assessment and Penetration Testing of the Web application, Mobile application and Networks, as well as Server Hardening.
https://www.surveymonkey.com/r/secbloggerwards2016
Thank you
Pierluigi
[adrotate banner=”9″]
(Security Affairs – self-propagating ransomware, malware)
Google addressed a Chrome's Password Manager bug that caused user credentials to disappear temporarily for…
The Internet Systems Consortium (ISC) released BIND security updates that fixed several remotely exploitable DoS…
Terrorist groups are increasingly using cyberspace and digital communication channels to plan and execute attacks.…
Progress Software addressed a critical remote code execution vulnerability, tracked as CVE-2024-6327, in the Telerik Report…
A critical flaw in some versions of Docker Engine can be exploited to bypass authorization…
The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers…
This website uses cookies.