Ransomware that Spreads like a Worm

It’s here. Nasty ransomware that spreads like a worm. The type of ransomware that can travel through your network and spread itself to nearby targets. We knew it was coming eventually, and now it has arrived. Keep reading for more information from our partners at KnowBe4 – and learn how you can help keep your network safe.


Microsoft released an alert about a new ransomware strain called ZCryptor, which works like a worm and spreads via removable and network drives.

The MalwareForMe blog reported this first on May 24. Three days later, Redmond’s security team decided to alert everyone about this threat.

“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior,” Microsoft’s Malware Protection Center post stated. A subsequent analysis by Trend Micro confirmed Microsoft’s findings, categorizing the threat as a “worm,” with self-propagation features.

ZCryptor spreads via email with malicious macro attachments and a fake Adobe Flash Player installer.

Microsoft wrote that this strain use fake installers, usually for Adobe Flash, along with macro-based booby-trapped Office files to distribute the Zcryptor ransomware. Macro-based malware uses what could be argued as “user-consent prompt fatigue,” only Microsoft can come up with a term like that.

Once the user installs the fake Adobe Flash update or allows an attached Office file to run macros, the Zcryptor ransomware is installed on the user’s computer. The first thing the ransomware does is to gain PC restart persistence by adding a key to the computer’s registry. After this, it starts to encrypt files.

Based on samples it analyzed, Microsoft reported the ransomware was targeting 88 different file types. The security researcher MalwareHunterTeam told Softpedia that, in samples he analyzed, he saw the ransomware targeted 121 different file types, so it appears that ZCryptor’s criminal developers are still working and adding new code.

ZCryptor apparently is able to copy itself to removable and network drives.

The most worrying thing was Microsoft saying the ransomware has “worm-like behavior,” meaning it can spread by itself to nearby targets. This type of behavior was predicted, but now it’s here.

This is one of the first ransomware strains that features such a function. MalwareHunterTeam also said “that it [ZCryptor] has the codes to copy itself to removable devices.”

Once installed on disk and available files are encrypted, a ransom note appears demanding 1.2 bitcoins, around 500 dollars, for the decryption key. It gives the victim four days to comply and then boosts the payment to five Bitcoins.

Effective security awareness training can stop this ransomworm in its tracks. Users can easily be trained to not enable macros or install fake updates. KnowBe4 provides training for end-users to help them learn how to avoid dangerous downloads and suspicious links. BECA is a KnowBe4 partner and can help get your organization started with this great training program.

Don’t let your organization be at risk! Get the right training today!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s