Internet Security

Get to Know More about ZCryptor: A ransomware that behaves like a worm

Microsoft also reports that Windows Defender is able to detect and get rid of ZCryptor.

Ransomware takes its name from the fact that it holds your computer hostage and you would not be able to use it until you do what it asks you to do. Usually, ransomware bars you from using your computer until you pay money or complete a survey. Ransomware behavior varies, but usually it prevents you from accessing your computer or a certain software program on it. It can also encrypt your files so that you would not be able to access them. It is only until you pay the ransom that you will be able to access your computer and your files again. There is, however, no guarantee that you will get access back if you pay the ransom. As you can probably guess, ransomware can easily go from just being a pain in the neck to a full-blown cancer.

Ransomware is one of the most lucrative exploits by cybercriminals these days. It used to be malicious e-mails, but they are no longer as effective today because people are now getting wary about clicking links on e-mails that come from sources they do not trust. Moreover, Web browsers can now detect malicious URLs and spam. So, naturally, hackers are no longer getting fat paychecks from their old ways. And what’s a wily and resourceful hacker to do? Find another way to distribute malware, of course. And this is where ransomware and cryptoworms come in. Cryptoworms are malicious pieces of code that can distribute itself, infecting computers of unsuspecting users and spreading ransomware.

Over the past few months, several ransomware have appeared and one of the latest is ZCryptor ransomware, or Ransom:Win32/ZCyptor.A.

Microsoft reported that this ransomware is spread via spam e-mails, macro malware and fake installers. Simply put, it infects you when you run a fake installer of a popular program (such as Adobe Flash), or by using a macro in an Office document. Once contracted, ZCryptor would then infect your flash drives, external drives and other removable media. The infected removable drives can in turn infect other computers where the ransomware can also encrypt files.

This is the first reported case of a ransomware that also exhibits the behavior of a worm that can propagate itself and infect more computers.

When you run ZCryptor, it will add itself to your start up processes and you should see this in your registry:


zcrypt = (path of the malware)

It will also add three files in your appdata folder: cid.ztxt, private.key and public.key. When it infects removable drives, it will also create an autorun.inf file as well as a copy of the ransomware.

ZCryptor will encrypt several files on your system. Microsoft reports that it could affect more than 80 file types, including databases, photos, and documents. It will then change the file extension to .zcrypt, so that for instance, vacation.jpg will now be vacation.zcrypt.

Once your files are encrypted, you will see the ransom note displayed on your computer. The ransom note will explain that your data and files have been encrypted and that there is a unique key generated to decrypt these files. It will then ask you to pay in Bitcoin, or more specifically, you must pay 1.2 Bitcoin within four days. The ransom note will also warn you that if you do not pay in four days, the ransom will increase to five Bitcoins and if you are still not able to pay within seven days, your unique key will be destroyed. And that means you will never be able to access your files again. The note further warns you against removing the program by yourself as this will mean that the decryption key will be destroyed.

Expect to see more of ZCryptor and other ransomware coming out in the next few months. After all, cybercriminals have been known to earn around $5 million just by sending out one ransomware. Cisco reported that in 2015, cybercriminals using the Angler Exploit Kit were able to target 90,000 victims daily and potentially earned $60 million in a year.

Ransomware attacks are not that uncommon, too. In March, Tricky Locky encrypted the files in two US hospitals and only unlocked it after the creators got $17,000 from their victims.

Keeping safe

If you are using Windows XP 64-bit computers, as well as Windows 7 and 8, then you are vulnerable to this threat.

If you do not like the thought of losing all your files, or giving into extortion, then you might want to keep yourself safe from getting infected. Kaspersky has come up with several steps that you can take to protect yourself from a ZCryptor attack, including:

  • Updating your Windows and other software regularly, so that exploits and vulnerabilities are plugged. This will ensure that ZCryptor will not be able to spread around the network.
  • Avoid suspicious Web sites that may have been compromised.
  • Do not open attachments if you do not know or trust the source.
  • Disable macros in Microsoft Office, particularly in MS Word.
  • Backup all your files and store these backups in an external drive that is not always connected to your computer. Additionally, you can use cloud storage to have a copy of your files. In case you do get infected with ZCryptor, you will not run the risk of losing your files even if you do not pay the ransom.
  • Use the latest protection software that can detect ZCryptor.

Microsoft also reports that Windows Defender is able to detect and get rid of ZCryptor. Use Windows Defender for Window 8.1 and 10. If you are using Windows Vista or Windows 7, you can use Microsoft Security Essentials. You should also run a full Microsoft Safety Scanner scan.

Learn more about how you could protect your business from vulnerabilities like ZCryptor.   Four Cornerstone has IT experts that can help train your employees on the finer aspects of security, as well as help you have the IT infrastructure that can assist your enterprise mitigate risks from ransomware and other malware. Contact Four Cornerstone now!

Photo courtesy of Christiaan Colen.


Security Trends For 2024: SBOMs

A recent article on Forbes, linked below, lists five security trends that are likely to be important in 2024. Of course, AI-related security topics top...

Keep Reading


Getting started with your first…

Anyone looking at writing their first Generative AI application should read this to save time. In June 2023, Google Cloud published a useful blog post,...

Keep Reading


Read-Write and Read-Only query splitting…

Optimize the usage of the standby (secondary) read-only MySQL InnoDB Cluster servers by automatically and transparently distributing read-queries to them. A great feature in MySQL...

Keep Reading


Considering Cloud Diversification?

Moving an enterprise to a Public Cloud can quickly feel like moving into a locked-in relationship with the Cloud vendor. One solution to diminish this...

Keep Reading


Gartner: Global cloud consumption will…

Gartner forecasts that 2024 will see a 20% global cloud consumption increase from 2023 to $679B, while 2023 has seen an 18% increase from 2022...

Keep Reading


ByteDance: Use AI for tuning…

ZDNet is reporting that a ByteDance (the maker of TikTok) Linux kernel developer has proposed to implement AI to tune the performance of Linux systems...

Keep Reading

AI Governance

What is AI TRiSM?

If reading now about AI TRiSM for the first time, it might be good read on and learn what it’s about because it leads the...

Keep Reading

Cloud Blog

4 Ways To Benefit from…

One of the benefits you get when you work with cloud applications is that you often have quarterly updates that are packed with features. This...

Keep Reading

Artificial Intelligence

Data and Analytics: Cross the…

  Artificial intelligence is a manna sent from digital heaven. That’s how blessed your business can get if you immerse into the AI of things....

Keep Reading

Business Intelligence Blog

How Brand Names Survive in…

  The age of digital marketplace has made it possible for unknown and smaller companies to compete with better-known and well-established brands. Take for example...

Keep Reading

Live Chat | Emergency