Microsoft warns of new, self-propagating ransomware in the wild

A new version of ransomware, dubbed Ransom:Win32/ZCryptor.A, that is able to move itself from computer to computer is hitting Microsoft Windows users.

Microsoft's Threat Research & Response blog issued an alert to its customers on 26 May warning them of the bug, which also goes by the name ZCryptor. The nastiest aspect of this piece of malware is its ability to reproduce and then spread to other systems through removable media devices, such as flash drives, as well as network drives. This capability is not often seen, noted Trend Micro researcher Michael Jay Villanueva.

“This ransomware is one of the few ransomware families that is capable of spreading on its own. It drops a copy of itself in removable drives, making use of USBs a risky practice,” he said in a research note on the ransomware.

Trend Micro gave ZCryptor an overall risk rating of critical with a high damage potential.

The ransomware has several methods of being injected into a computer. Microsoft noted it can be distributed via spam emails, macro malware or through fake Flash Player installers. When it tries to spread through removable storage devices it “drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder: %User Startup%\zcrypt.lnk along with a copy of itself as {Drive}:\system.exe and %appdata%\zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer,” the Microsoft report said.

Once embedded and the files are encrypted a ransom note appears demanding 1.2 bitcoins, around $500 (£342), for the decryption key. It gives the victim four days to comply and then boosts the payment to five Bitcoins.