New Ransomware with Different Approach

Friday, June 3, 2016 @ 03:06 PM gHale


A new type of ransomware is hitting the market, researchers said.

Ransom:Win32/ZCryptor.A attacks infection vectors used by other malware, such as spam emails, macro malware, and fake installers, said researchers at Microsoft. Unlike other ransomware families, this malware allows it to self-propagate from a compromised machine.

RELATED STORIES
Updated Ransomware getting Kinks Out
Ransomware Soars, Users Not Sure What It Is
APT Attacker’s Malware of Choice
Hosting Firm Used in Attacks
German Nuke Infected with Malware

For that, ZCryptor drops an autorun.inf file on removable drives, which allows it to infect the computers these drives are plugged into. The malware leverages network drives to propagate itself, and it drops copies of itself in different locations and changes the file attributes to hide itself from the user in file explorer, said Microsoft researchers in a blog post.

https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/

Once executed on the infected system, the malware makes it possible to run at startup by creating a registry key, then drops autorun.inf on removable drives, along with a zycrypt.lnk in the start-up folder. Next, the malware creates hidden copies of itself as {Drive}:\system.exe and %appdata%\zcrypt.exe.

The ransomware targets numerous file types, encrypts them and adds the .zcrypt extension to them, while also creating the zcrypt1.0 mutex on the infected machines, which is meant to denote an instance of the malware is already running. The ransomware also connects to specific servers to exchange information with them, but researchers said these servers were inactive during their analysis.

The ZCryptor ransomware asks for an initial 1.2 Bitcoin ransom, but the payment demand increases to 5 Bitcoin after four days of non-payment.