Get to Know More about ZCryptor: A ransomware that behaves like a worm

Share in:
Share in:

Microsoft also reports that Windows Defender is able to detect and get rid of ZCryptor.

Ransomware takes its name from the fact that it holds your computer hostage and you would not be able to use it until you do what it asks you to do. Usually, ransomware bars you from using your computer until you pay money or complete a survey. Ransomware behavior varies, but usually it prevents you from accessing your computer or a certain software program on it. It can also encrypt your files so that you would not be able to access them. It is only until you pay the ransom that you will be able to access your computer and your files again. There is, however, no guarantee that you will get access back if you pay the ransom. As you can probably guess, ransomware can easily go from just being a pain in the neck to a full-blown cancer.

Ransomware is one of the most lucrative exploits by cybercriminals these days. It used to be malicious e-mails, but they are no longer as effective today because people are now getting wary about clicking links on e-mails that come from sources they do not trust. Moreover, Web browsers can now detect malicious URLs and spam. So, naturally, hackers are no longer getting fat paychecks from their old ways. And what’s a wily and resourceful hacker to do? Find another way to distribute malware, of course. And this is where ransomware and cryptoworms come in. Cryptoworms are malicious pieces of code that can distribute itself, infecting computers of unsuspecting users and spreading ransomware.

Over the past few months, several ransomware have appeared and one of the latest is ZCryptor ransomware, or Ransom:Win32/ZCyptor.A.

Microsoft reported that this ransomware is spread via spam e-mails, macro malware and fake installers. Simply put, it infects you when you run a fake installer of a popular program (such as Adobe Flash), or by using a macro in an Office document. Once contracted, ZCryptor would then infect your flash drives, external drives and other removable media. The infected removable drives can in turn infect other computers where the ransomware can also encrypt files.

This is the first reported case of a ransomware that also exhibits the behavior of a worm that can propagate itself and infect more computers.

When you run ZCryptor, it will add itself to your start up processes and you should see this in your registry:


zcrypt = (path of the malware)

It will also add three files in your appdata folder: cid.ztxt, private.key and public.key. When it infects removable drives, it will also create an autorun.inf file as well as a copy of the ransomware.

ZCryptor will encrypt several files on your system. Microsoft reports that it could affect more than 80 file types, including databases, photos, and documents. It will then change the file extension to .zcrypt, so that for instance, vacation.jpg will now be vacation.zcrypt.

Once your files are encrypted, you will see the ransom note displayed on your computer. The ransom note will explain that your data and files have been encrypted and that there is a unique key generated to decrypt these files. It will then ask you to pay in Bitcoin, or more specifically, you must pay 1.2 Bitcoin within four days. The ransom note will also warn you that if you do not pay in four days, the ransom will increase to five Bitcoins and if you are still not able to pay within seven days, your unique key will be destroyed. And that means you will never be able to access your files again. The note further warns you against removing the program by yourself as this will mean that the decryption key will be destroyed.

Expect to see more of ZCryptor and other ransomware coming out in the next few months. After all, cybercriminals have been known to earn around $5 million just by sending out one ransomware. Cisco reported that in 2015, cybercriminals using the Angler Exploit Kit were able to target 90,000 victims daily and potentially earned $60 million in a year.

Ransomware attacks are not that uncommon, too. In March, Tricky Locky encrypted the files in two US hospitals and only unlocked it after the creators got $17,000 from their victims.

Keeping safe

If you are using Windows XP 64-bit computers, as well as Windows 7 and 8, then you are vulnerable to this threat.

If you do not like the thought of losing all your files, or giving into extortion, then you might want to keep yourself safe from getting infected. Kaspersky has come up with several steps that you can take to protect yourself from a ZCryptor attack, including:

  • Updating your Windows and other software regularly, so that exploits and vulnerabilities are plugged. This will ensure that ZCryptor will not be able to spread around the network.
  • Avoid suspicious Web sites that may have been compromised.
  • Do not open attachments if you do not know or trust the source.
  • Disable macros in Microsoft Office, particularly in MS Word.
  • Backup all your files and store these backups in an external drive that is not always connected to your computer. Additionally, you can use cloud storage to have a copy of your files. In case you do get infected with ZCryptor, you will not run the risk of losing your files even if you do not pay the ransom.
  • Use the latest protection software that can detect ZCryptor.

Microsoft also reports that Windows Defender is able to detect and get rid of ZCryptor. Use Windows Defender for Window 8.1 and 10. If you are using Windows Vista or Windows 7, you can use Microsoft Security Essentials. You should also run a full Microsoft Safety Scanner scan.

Learn more about how you could protect your business from vulnerabilities like ZCryptor.   Four Cornerstone has IT experts that can help train your employees on the finer aspects of security, as well as help you have the IT infrastructure that can assist your enterprise mitigate risks from ransomware and other malware. Contact Four Cornerstone now!

Photo courtesy of Christiaan Colen.

Scroll to Top