{"id":12268,"date":"2016-06-02T12:16:49","date_gmt":"2016-06-02T16:16:49","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=12268"},"modified":"2017-09-24T07:37:16","modified_gmt":"2017-09-24T11:37:16","slug":"zcryptor-ransomware","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/zcryptor-ransomware\/12268\/","title":{"rendered":"ZCryptor: The conqueror worm"},"content":{"rendered":"<p>Analysts and researchers agree that 2016 is the year when ransomware went really big. Cybercrooks didn\u2019t need much time to see the potential value of cryptolockers, and they readily added ransomware to their arsenals. To give you an idea of the profitability, Cisco researchers <a href=\"http:\/\/blog.talosintel.com\/2015\/10\/threat-spotlight-cisco-talos-thwarts.html\" target=\"_blank\" rel=\"noopener nofollow\">reported in 2015<\/a> that a single Angler <a href=\"https:\/\/www.kaspersky.com\/blog\/exploits-problem-explanation\/\" target=\"_blank\" rel=\"noopener nofollow\">exploit kit<\/a> brings cybercriminals profits of up to $60 million annually, or on average $5 million every month!<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/06\/06022121\/zcryptor-FB.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-12270\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/06\/06022121\/zcryptor-FB.jpg\" alt=\"ZCryptor: Ransomware that spreads itself as a worm\" width=\"1280\" height=\"1280\"><\/a><\/p>\n<p>The usual suspects of the modern ransomware market \u2014 <a href=\"https:\/\/www.kaspersky.com\/blog\/petya-ransomware\/11715\/\" target=\"_blank\" rel=\"noopener nofollow\">Petya<\/a> and <a href=\"https:\/\/www.kaspersky.com\/blog\/mischa-ransomware\/\" target=\"_blank\" rel=\"noopener nofollow\">his friend Mischa<\/a>, as well as their distant relative, Locky \u2014 currently prey on users in more than 100 countries. Hackers recently started focusing more attention on enterprises and organizations in possession of valuable data: Lately, a number of US hospitals became victims of <a href=\"https:\/\/www.kaspersky.com\/blog\/locky-ransomware\/\" target=\"_blank\" rel=\"noopener nofollow\">ransomware attacks<\/a>.<\/p>\n<h3>The rise of cryptoworms<\/h3>\n<p>In their attempts to get as much money as possible, as soon as possible, cybercriminals seek ways to expand their attacks so they can further propagate their lockers. Malicious spam campaigns still work, but they are not as efficient as before; with cyberthreats getting coverage in the media, users are becoming more savvy and getting to know the most frequently used tricks.<\/p>\n<p>In another important development, Web browsers and antiviruses have learned to detect and block malicious URLs or malware-laced spam. In response, hackers have gradually phased out their usual \u201ccarpet bombing\u201d approach to malware distribution. Increasingly, they are turning to methods used long ago in the most widespread and efficient campaigns: good ol\u2019 <a href=\"https:\/\/www.kaspersky.com\/blog\/a-malware-classification\/3037\/\" target=\"_blank\" rel=\"noopener nofollow\">worms<\/a>.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Meet the <a href=\"https:\/\/twitter.com\/hashtag\/cryptoworm?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#cryptoworm<\/a>\u2026 the future of <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> via <a href=\"https:\/\/twitter.com\/zpring?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@zpring<\/a> <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"https:\/\/t.co\/zndtXFulGB\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/zndtXFulGB<\/a> <a href=\"https:\/\/t.co\/BYRjQG8X7j\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/BYRjQG8X7j<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/719845187548246016?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 12, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Researchers predict that the next stage of ransomware development will bring <a href=\"https:\/\/www.grahamcluley.com\/2016\/04\/cryptoworms-future-ransomware\/\" target=\"_blank\" rel=\"noopener nofollow\">cryptoworms<\/a> \u2014 a poisonous hybrid of self-propagating malware and ransomware. This new type of malware takes the best of both worlds to form a new species of ransomware that can copy and distribute itself by means of infected computers, efficiently encrypting files and demanding ransom.<\/p>\n<p>The first such malware was <a href=\"https:\/\/threatpost.com\/meet-the-cryptoworm-the-future-of-ransomware\/\" target=\"_blank\" rel=\"noopener nofollow\">SamSam<\/a>, which sneaked onto a number of enterprise networks and infected computers on the networks as well as cloud storage containing backup copies.<\/p>\n<h3>ZCryptor<\/h3>\n<p>This week, Microsoft <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/26\/link-lnk-to-ransom\/\" target=\"_blank\" rel=\"noopener nofollow\">detected<\/a> a new sample of a cryptoworm, dubbed ZCryptor. It\u2019s unique in that it both encrypts files and self-propagates to other computers and network devices without using malicious spam or an exploit kit. The malware copies itself onto connected computers and portable devices.<\/p>\n<p>To infect the first victim, ZCryptor uses common techniques, masquerading as an installer of a popular program (e.g., Adobe Flash) or infiltrating the system through malicious macros in a Microsoft Office file.<\/p>\n<p>https:\/\/twitter.com\/campuscodi\/status\/736148705120751616<\/p>\n<p>Once inside the system, the cryptoworm infects external drives and flash drives so it can be distributed to other computers, and then starts to encrypt files. ZCryptor can encrypt more than 80 file formats (some sources say 120 formats) by adding a .zcrypt extension to the name of the file.<\/p>\n<p>After that, the story revolves around a well-known scenario: Users see an HTML page informing them that their files are encrypted and available for a ransom \u2014 in this case, 1.2 bitcoins (about $650). If the users don\u2019t pay that sum in four days, the ransom increases to 5 bitcoins (more than $2,500).<\/p>\n<p>Unfortunately, experts have not been able to find way to decrypt the files and let the affected users bypass the ransom option. That means the only reasonable option for now is to be extra cautious and avoid infection.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">10 tips to protect your files from ransomware <a href=\"https:\/\/t.co\/o0IpUU9CHb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/o0IpUU9CHb<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/iteducation?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iteducation<\/a> <a href=\"https:\/\/t.co\/I47sPIiWFF\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/I47sPIiWFF<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/671348678607642624?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Means of protection<\/h3>\n<p>If you want to be spared a ZCryptor attack, use these simple tips:<\/p>\n<ul>\n<li>Update your operating system and software regularly, closing exploitable vulnerabilities and thus preventing the cryptoworm from travelling around your network.<\/li>\n<li>Always be on alert and avoid suspicious websites; don\u2019t open attachments coming from a murky source. In general, respect the basic rules of digital hygiene.<\/li>\n<li>Disable macros in Microsoft Word \u2014 they are regaining popularity among cybercrooks as a means of dropping malware.<\/li>\n<li>Regularly back up your files and store one copy on an external drive that you then disconnect from your PC. Although backed-up files do not prevent ransomware from infecting your system they are solid protection: If you have your valuable data at hand, there\u2019s no reason to pay ransom.<\/li>\n<li>Of course, use reliable protection software. <a href=\"https:\/\/store.kaspersky.com\/store\/kaspersk\/en_IE\/buy\/productID.320853100\/quantity.1\/Currency.USD?cid=gl_socmed_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___&amp;affiliate=gl_socmed_pro_ona_smm__onl_b2c_kasperskydaily_lnk____kismd___&amp;_ga=1.128539086.399724093.1464883668\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Internet Security<\/a> detects ZCryptor as Trojan-Ransom.MSIL.Geograph and protects users from this threat.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Zcryptor is a hybrid, part ransomware and part worm. It encrypts files and copies itself onto external media.<\/p>\n","protected":false},"author":40,"featured_media":12271,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683,9],"tags":[1680,36,420,1651,723,1650,1649],"class_list":{"0":"post-12268","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"category-tips","10":"tag-cryptors","11":"tag-malware-2","12":"tag-ransomware","13":"tag-self-propagating","14":"tag-trojans","15":"tag-worm","16":"tag-zcryptor"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/zcryptor-ransomware\/12268\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/zcryptor-ransomware\/7240\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/zcryptor-ransomware\/7202\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/zcryptor-ransomware\/8425\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/zcryptor-ransomware\/8308\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/zcryptor-ransomware\/12114\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/zcryptor-ransomware\/5723\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/zcryptor-ransomware\/6329\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/zcryptor-ransomware\/7889\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/zcryptor-ransomware\/11646\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/zcryptor-ransomware\/12114\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/zcryptor-ransomware\/12268\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/zcryptor-ransomware\/12268\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cryptors\/","name":"cryptors"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=12268"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12268\/revisions"}],"predecessor-version":[{"id":18816,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/12268\/revisions\/18816"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/12271"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=12268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=12268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=12268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}