Link (.lnk) to Ransom


We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.

 

Infection vector

Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

Once ZCryptor is executed, it will make sure it runs at start-up:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

zcrypt = {path of the executed malware}

 

It also drops autorun.inf in removable drives, a zycrypt.lnk in the start-up folder:

%User Startup%\zcrypt.lnk

..along with a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

For example: c:\users\administrator\appdata\roaming\zcrypt.exe

Payload

This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

Screenshot of Win32/ZCryptor.A ransom note

 

It will also target, encrypt files with the following extension, and change the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

.accdb .dwg .odb .raf
.apk .dxg .odp .raw
.arw .emlx .ods .rtf
.aspx .eps .odt .rw2
.avi .erf .orf .rwl
.bak .gz .p12 .sav
.bay .html .p7b .sql
.bmp .indd .p7c .srf
.cdr .jar .pdb .srw
.cer .java .pdd .swf
.cgi .jpeg .pdf .tar
.class .jpg .pef .tar
.cpp .jsp .pem .txt
.cr2 .kdc .pfx .vcf
.crt .log .php .wb2
.crw .mdb .png .wmv
.dbf .mdf .ppt .wpd
.dcr .mef .pptx .xls
.der .mp4 .psd .xlsx
.dng .mpeg .pst .xml
.doc .msg .ptx .zip
.docx .nrw .r3d .3fr

 

Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

We have also seen a connection to the following URL. However, the domain is already down when we were testing:

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %APPDATA%\cid.ztxt

For example, c:\users\administrator\appdata\roaming\cid.ztxt

Prevention

To help stay protected:

  • Keep your Windows Operating System and antivirus up-to-date. Upgrade to Windows 10.
  • Regularly back-up your files in an external hard-drive
  • Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to setup a drive for file history
  • Use OneDrive for Business
  • Beware of phishing emails, spams, and clicking malicious attachment
  • Use Microsoft Edge to get SmartScreen protection. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.
  • Disable the loading of macros in your Office programs
  • Disable your Remote Desktop feature whenever possible
  • Use two factor authentication
  • Use a safe internet connection
  • Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)

Detection

Recovery

In Office 365’s How to deal with ransomware blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:

  1. Make sure you have backed-up your files.
  2. Recover the files in your device. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.

To restore your files or folders in Windows 10 and Windows 8.1:

  • Swipe in from the right edge of the screen, tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter “restore your files” in the search box, and then tap or click Restore your files with File History.
  • Enter the name of file you’re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
  • Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files onto a different location than the original, press and hold, or right-click the Restore button, tap or click Restore To, and then choose a new location.

Source: Restore files or folders using File History

To restore your files in Windows 7 and Windows Vista

  • Right-click the file or folder, and then click Restore previous versions. You’ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you’re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that’s included in a library, right-click the file or folder in the location where it’s saved, rather than in the library. For example, to restore a previous version of a picture that’s included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
  • Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it’s the version you want. Note: You can’t open or copy previous versions of files that were created by Windows Backup, but you can restore them.
  • To restore a previous version, select the previous version, and then click Restore.

Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn’t available, you can’t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.

Source: Previous versions of files: frequently asked questions

Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).

Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.

  1. Recover your files in your OneDrive for Consumer
  2. Recover your files in your OneDrive for Business

If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:

Restore your files using the Portal

Users can restore previous version of the file through the user interface. To do this you can:

1. Go to OneDrive for Business in the office.com portal

2. Right click the file you want to recover, and select Version History.

3. Click the dropdown list of the version you want to recover and select restore

 

If you want to learn more about this feature, take a look at the Restore a previous version of a document in OneDrive for Business support article.

Create a Site Collection Restore service request

If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a ‘Site Collection Restore’. This request can restore up to 14 days in the past. To learn how to do this please take a look at the Restore Option in SharePoint Online blog post.

 

*Related macro malware information:

 

Edgardo Diaz and Marianne Mallen

Microsoft Malware Protection Center (MMPC)

Comments (32)

  1. Eddy Current says:

    Why should someone with a sane mind upgrade to Windows 10?
    Even Microsoft latest OS fails to employ W^X in its filesystem and allows execution of any file anywhere.

    JFTR: NTFS was introduced about 25 years ago and supports fine-grained access control, including a permission “execute file”. Apply an ACE (D;OIIO;WP;;;WD) on every directory where user’s can (over)write files (typically the user’s profile plus C:\ProgramData\), and the attack vector is closed.

    JFTR: SAFER alias software restriction policies were introduced about 15 years ago. See https://technet.microsoft.com/en-us/library/aa940985.aspx for guidance written by some obscure company which goes by the name Microsoft

  2. MrMinz says:

    Thanks for the Warning. But how will OneDrive Business and Windows10 protect me from infected USB Drives and infected spam mails?

    1. Steve says:

      OneDrive for Business have version history so you can revert files and Windows 10 have the last security updates.

      1. Phreeze says:

        Win7 does have the latest updates too…and those updates do not protect at all…look at how the malware works,no update at all can protect you.

        1. billert says:

          Well, technically Windows 7 only has Extended support. The Windows 7 extended support ends on January 14, 2020 based on Microsoft Support Lifecycle. However, if you upgrade to Windows 10, your PC’s support will end September 14, 2025.

  3. really?... says:

    really? ugrade to windows 10?
    use one drive for bussines?
    use micro$oft Edge browser?
    use windows Defender?

    this article is more like an advertisement cloaked in a warning article about ransomware.

  4. Christoph says:

    Well thanks, the info i am missing:
    – I guess I should be 100% sure to have disabled the malware before restoring (if not I suppose my backup drive is the next encrypted thing)
    – how can I disable auto run / autorun.inf on removable drives (one of the most dangerous things there ever was in IT history)? Will this still work in Win10?

    best regards, Christoph

  5. You should also include an MD5 or some other hash for the file(s) involved–to help users.

    Regards,

    1. msft-mmpc says:

      d14954a7b9e0c778909fe8dcad99ad4120365b2e

  6. Meitzi says:

    MrMinz: I think the idea is that OneDrive has versionhistory. So you just restore older versions.

    1. king says:

      Realistically, a lot of the top well known business won’t be using OneDrive for business or moved on to Windows 10 yet. Also, version history is not something new and unique to OneDrive.

  7. Jim says:

    I can see that Windows Defender / SCEP can detect this Malware, but I do not see it stated that it can REMOVE this threat upon detection.
    If it can be removed, what is the version number of the definition file needed to protect myself?

    1. msft-mmpc says:

      Please make sure that the signatures/definitions are up to date and this threat should be removed.
      You can see the change log for the definition updates and download the latest definition updates from this link

  8. Elizabeth says:

    Hi, Thanks for this info.
    I have a few questions . Windows 7 Pro 32 bit sp1. Will get windows 10 when able to purchase new PC . This one has run for 15 years and been completely reconfigured in 2008.
    1] MSE antivirus disabled my windows 7 defender. Should I turn it back on?
    2 ] I also use MBAM . Is this alright and helpful?
    3[ VIP….I went to your link above….LINK ( LNK ) TO RANSOM and found the radar says Severe. Does this reflect my windows 7 sp1 C 32 bit or is it only an example?
    5] Should I go to C: system 32 and if I see / ZCRYPTOR ,, do I delete it. Also do I delete this file. ,
    C: users…..apt data ..roaming if found there do I delete from all users s well?
    6] Do I adjust the registry if found there as shown above? How?
    Thanks for your help, Liz

  9. Fix my bouncing screen that appeared several days ago.

  10. Mike says:

    Shameless plug…

  11. adwbust says:

    LOL MSE can’t even fully clean lnk files created by malware on a usb drive. 🙂

    A yeltminky on a usb drive was there for months or maybe even a year before it was even detected.

    Funny how you have charts/graphs of how many machines were “cleaned” when most definitely those machines aren’t clean and there are remnants – undetected items by your mmpc engine lol.

  12. underground says:

    cual es el counter de valor fildelsticks ja ja (equisde)

  13. T T says:

    defender is unable to delete the Trojans/viruses. what can be done?

  14. I keep getting this Internet page on my screen and it seems I can’t do anything to stop it.
    I think it’s a Russian site (?)

    The site comes up even if I’m not using any browser. In this case Windows Edge. It’s disturbing because the page continues a video and suddenly the computer starts talking and it tookm me a while to see it was due to that page.

    Hope you can do something to prevent this from happening.

    Sincerely yours
    Thomas H

  15. gilles boisjoly says:

    Is this really from you ???………..Microsoft Account Confirmation (see below)

    We received a request from you yesterday to terminate your account permanently
    and the process has started by our automated server

    If you didn’t request this, click the button below to cancel the request immediately.

    cancel request

    If you actually request to delete your account, please ignore this email

    Thanks,
    Microsoft account team

  16. I cannot delete all the malware after having done a full scan Why not?

  17. bev beaman says:

    My pc started normally. I went to play at gamehouse.com and I got this message saying to call a certain 1-888 number to reach Microsoft
    before I did any purchases or banking on my account. I immediately tried to close it but it did not work. I then went to task manager but they could not close it either so I started a full scan with security essentials.. The file in task manager says atiedxx 00 1,836

  18. Raul Lozano says:

    en español porfavor

  19. peter says:

    maybe a microsoft conspiracy? upgrade to win 10, use ms edge….upgrade to win 10, use ms edge….upgrade to win 10, use ms edge….and on and on it goes!

  20. GuerreroCanino says:

    **** that namsonware, its already enough with the normal namsonwares.

  21. This is too hitech for me I am a senior user. Email is a problem neither delivering of sending mail Has error messages.

  22. CeeCee says:

    Malware, Windows defender is available but your updates are not available for ransome to support infectious-ware…
    Window updates applicable but support minimul productivity….

Skip to main content