Bitdefender Stops ZCrypt Worm-Like Ransomware

Bitdefender detects and blocks a new type of ransomware that replicates itself on removable and network drives. The sample analyzed by our researchers has worm-like capabilities – it can spread via autorun.inf files on USB drives. When an infected USB is plugged into a system, ZCrypt automatically launches a file called invoice.exe, which, once opened, infects the system with ransomware.

ZCrypt first corrupts the files and then encrypts them to limit the ability of victims to use disk recovery tools. User files with the following extensions are affected:

.zip   .7z .mp4    .avi    .mkv    .wmv    .swf    .pdf  .sql    .txt    .jpeg   .jpg    .png    .bmp    .psd    .doc    .docx .rtf    .xls    .xlsx   .odt    .ppt    .pptx   .ai .xml    .c  .cpp  .asm    .js .php    .cs .aspx   .html   .conf   .sln    .mdb    asp .3fr    .accdb  .arw    .bay    .cdr    .cer    .cr2    .crt    .crw   .dbf    .dcr    .der    .dng    .dwg    .dxf    .dxg    .eps    .erf   .indd   .kdc    .mdf    .mef    .mrw    .nef    .nrw    .odb    .odp   .ods    .orf    .p12    .p7b    .p7c    .pdd    .pef    .pem    .pfx   .pst    .ptx    .r3d    .raf    .raw    .rw2    .rwl    .srf    .srw   .wb2    .wpd    .jnt    .pub    .trc    .gz .tar    .jsp    .pl .py .rb .mpeg   .msg    .log    .vob    .max    .3ds    .3dm    .db .cgi   .jar    .class  .java   .bak    .pdb    .apk    .sav    .cbr    .pkg   .tar. gz. fla.    .h  .sh .vb .vcxproj  .XCODEPROJ  .eml    .emlx  .mbx   .vcf

The original file will be deleted and the encrypted files will have the .zcrypt extension. A ransom note will be created with the following name “How to decrypt files.html”

To ensure persistence, the malware will create the following registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt, which will point to  itself, and also a shortcut named “zcrypt.lnk” in the startup folder.

Interestingly, ZCrypt uses an old, yet effective technique. Introduced back in the Windows XP era to facilitate software installations from CD-ROM media for non-technical computer users, the Autorun feature has rapidly become the infection vector of choice for cyber-criminals. For years, Autorun-based malware has been atop of the worldwide e-threat landscape, with notorious representatives such as Trojan.AutorunInf, the Conficker worm (Win32.Worm.Downadup) or Worm.Autorun.VHD.

Bitdefender has a solution – the USB Immunizer disables autorun-related threats before they access the computer. Once installed, it constantly watches for newly inserted USB storage devices and immunizes them on the fly. If you accidentally plug in an infected USB drive that has not been immunized, the computer will not auto-execute the piece of malware located on the USB storage device.

Read more and download Bitdefender’s USB Immunizer here.

Bitdefender detects this threat as  Gen:Variant.ZCrypt.1.

MD5: 62bf8f83071452af96a37e0ed0159731