ZCryptor ransomware spreads via removable drives

The newly spotted ZCryptor ransomware has also the ability to spread like a worm, Microsoft warns.

Once it infects a system, it also copies itself on removable drives, in the hopes that the same drives will end up plugged into another system and spread the infection.

Other than that, ZCryptor does not differ much from other ransomware.

It encrypts all files that sport one of 88 extensions (Office and archive files, image, audio, movie files, log files, database files, APK files, Java source code files, etc.), changes their extensions to .zcrypt, and pops up the ransom note (a HTML file that’s opened in the default browser):

Microsoft says that the ransomware usually arrives via email: via downloaders posing as fake installers or via macro malware.

It assures its own persistence on the infected system by dropping copies of itself, and sets registry entries in order to execute at every system startup.

“Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine,” the researchers noted.

The ransomware tries to contact a specific URL from which it receives information and likely the key to encrypt the files, but the website is currently down.

As always, users are advised to protect themselves against this and other ransomware by regularly backing up their important files and keeping the backups separate from their main system.

Needless to say, if you get hit with this ransomware, remember that any USB stick or other removable drive plugged into the system is also infected, and should also be cleaned before being used again.

Trend Micro has additional information about the malware.