We have already extensively covered happenings in the world of ransomware, which are nasty pieces of malware that takes a user's computer hostage and then encrypts the files. In order for the victim to regain access to the PC, they are ordered by the malware creators to pay a certain amount, which is usually around one bitcoin, but this can vary.
Ways of falling victim to ransomware are usually through spam emails which contain an innocent-looking attachment, which in reality is responsible for enabling the malware. However, there seems to be a new way of getting infected. Microsoft, through its Malware Protection Center, is warning its users over a new type of ransomware that actually has the ability to replicate itself and move from one computer to another, through flash drives, as well as network drives.
Dubbed "Ransom:Win32/ZCryptor.A," or simply "ZCryptor," the malware is distributed by the usual spam email infection vector. Once executed, the malware makes sure it runs once the system is booted. Furthermore, to be able to reproduce itself, it drops an autorun.inf in removable drives, a "zycrypt.lnk" in the start-up folder, along with a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe. Lastly, it changes the file attributes to hide itself from the user in the file explorer.
It will encrypt data on a computer with file extensions such as .jpeg, .mp4, .docx, .xlsx, .pptx, .txt, .wmv, and .zip, among many others.
Once the encryption process is done, a HTML file stating "All your personal files are encrypted" will be displayed. It will demand 1.2 bitcoins, which is equal to around $500. It gives the victim four days to comply to the demand. If the payment is not met, it raises the amount to five bitcoins.
If a user is infected, Microsoft advises to restore from a backup, if applicable. However, the company itself seems doubtful about this, as it took the time to explain that some ransomware delete backups, taking away the possibility of recovering files.
It is not yet known if there is a way to decrypt the files without paying any ransom.
Source and Image via Microsoft Threat Research & Response Blog
33 Comments - Add comment