Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Self-propagating ransomware spreading in the wild

Be careful, Microsoft is alerting all Windows users of a new type of a Self-propagating ransomware that exhibits worm-like behavior to propagate itself. Microsoft is alerting all Windows users of a new type of ransomware that exhibits worm-like behavior. “We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This […]

Self-propagating ransomware spreading in the wild

Be careful, Microsoft is alerting all Windows users of a new type of a Self-propagating ransomware that exhibits worm-like behavior to propagate itself.

Microsoft is alerting all Windows users of a new type of ransomware that exhibits worm-like behavior.

“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.”  states Microsoft,

The Infection vector

Ransom:Win32/ZCryptor.A is spread through the spam email infection vector. It runs at start-up as soon as ZCryptor is executed.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

zcrypt = {path of the executed malware}

In the start-up folder it drops zycrypt.lnk and autorun.inf in removable drives:

%User Startup%\zcrypt.lnk

It also changes the file attributes to be in Stealth mode from the user, also it makes a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe

For Example:  c:\users\administrator\appdata\roaming\zcrypt.exe

The Payload

It then displays the ransom note to users in an HTML file How to decrypt files.html

self-propagating ransomware

Later it encrypts files in your disk and then will change the file extension to .zcrypt (Eg. <originalfilename.zcrypt>)

Infected machines are observed to have zcrypt1.0 mutex which denotes that an instance of this ransomware is already running on the infected machine.

The connection has also been observed to the following URL. But the domain is already down while testing

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %APPDATA%\cid.ztxt

For example, c:\users\administrator\appdata\roaming\cid.ztxt

The warning issued by Microsoft also include information about Detection, Prevention, and Recovery from such kind of self-propagating ransomware

Imdadullah MohammedWritten by: Imdadullah Mohammed

Author Bio: Imdad is an Information Security Consultant, He is also a Moderator for Pune Chapter of Null – The open security community in India and Also member of Garage4hackers. A true open source and Information Security enthusiast. His core area of expertise includes Vulnerability Assessment and Penetration Testing of the Web application, Mobile application and Networks, as well as Server Hardening.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – self-propagating ransomware, malware)