The new ransomware, which Microsoft has dubbed Ransom:Win32/ZCryptor.A, is distributed through spam emails. It can also infect a machine running Windows through a malware installer or fake installers like a Flash player setup file.
The ransomware would run at boot and drop :
• a file autorun.inf in removable drives,
• a zycrypt.lnk in the start-up folder,
• and a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe.
It will then change the file attributes to hide itself from the user in file explorer.
The Microsoft advisory said a file headlined “All your personal files are encrypted” would be displayed to the user and the ransomware would encrypt numerous files, changing their extensions to .zcrypt in the process. A total of 88 file-types would be encrypted and Microsoft said it was important to enable file history, or system protection so that restoring personal files from a backup was possible in some cases. However, it appears that Microsoft was also not fully aware of the actions of the ransomware because it offered the following advice: “Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive.”
Windows users take care.
