“Zcrypt” – the ransomware that’s also a computer virus

SophosLabs just pointed out to us a new piece of ransomware with an interesting twist.

It’s a virus!

Most malware samples these days are what’s known as Trojans, short for “Trojan Horses” – programs that seem harmless on the surface, but have nasty surprises hidden inside.

Trojans don’t get around by themselves – they have to be delivered somehow, typically by email or via a booby-trapped web page.

Twenty years ago, however, most malware samples were viruses, meaning that they were programmed to spread on their own, like a viral infection, typically by copying themselves to other files or directories they could find, including on your network, if you had one, and to removable storage devices (or “floppy disks,” as they were known in the 1990s).

Self-spreading malware has one important advantage for the crooks: they don’t have to keep on spamming out attachments or dangerous links, because viruses get a life of their own once they’re out and about.

As a result, viruses may well spread further and last longer, not least because infections inside an organisation that aren’t stamped out completely may keep reappearing, sometimes for years.

Of course, the act of self-spreading is one more way for malware to draw attention to itself, so in today’s always-connected world, it’s a technique that’s not seen much any more.

Viral ransomware

Nevertheless, self-spreading ransowmare has been tried by cybercriminals before.

Presumably, their hope was that multiple infections inside a business, or on a home network, would therefore be more likely.

Most ransomware generates a unique encryption key for each computer it attacks, so there’s no shortcut if several computers inside your company get hit: you need to buy a unique unlock code for each one of them.

Moving around inside your network seems to be the aim of this new ransomware sample, detected and blocked by Sophos products as Troj/Agent-ARXC and Troj/Mdrop-HGD.

The good news is that we haven’t seen much evidence of it in the wild, so it doesn’t seem to be spreading very effectively, despite being a virus.

Like a lot of ransomware, we’ve seen this one “promoted” via email, claiming (admittedly rather unconvincingly) to come from a public service department in California:

If you allow yourself to be talked into downloading the alleged invoice, you’ll receive a file called invoice-order.zip; opening it up will reveal the malware in a file invoice-order.exe.

If you open up the invoice-order.exe file, the ransomware runs, scrambling any files it can find with extensions from a lengthy list, including archives, images, videos, documents, spreadsheets and even programming projects.

The ransomware then displays its “pay page,” making sure you know how to buy back the decryption key to unscramble your data:

Bitcoins have surged a bit in value over the past few days since this malware appeared, so the bill you’ll face (BTC1.2) is more like $640 at the time of writing [2016-06-01T17:00Z].

As well as scrambling your precious files, this ransomware also makes copies of itself onto writable network shares and removable drives it finds, presumably hoping that someone else might open the infected file later on.

The dropped file is called zcrypt.lnk, and it is accompanied by an autorun.inf that attempts to load it automatically when a user inserts the infected device or browses to an infected network share.

This is something of a blast from the past, because “Autorun” on removable drives has been turned off by default on Windows computers for years, so the risk of unexpected infection this way can be considered low.

Nevertheless, if you’re a system administrator, it’s worth checking that AutoRun really is turned off on all your computers. (You can do this using Group Policy.)

The malware also adds itself to the AppData\Roaming directory, which is automatically replicated onto other computers you use on the same network, meaning that this virus can literally follow you around.

What to do?

We don’t expect you to be affected by this one, because we think it’s rather obviously suspicious.

Nevertheless, all our usual suggestions will help you against this and other malware threats:

• Use a web filter to block untrustworthy links.
• Use an email filter to block untrustworthy messages.
• Apply common sense when faced with invoices and other messages you weren’t expecting.
• Don’t open .ZIP files or run .EXE files from unknown sources.
• Use Group Policy to make sure AutoRun is turned off everywhere.
• Make regular backups, including keeping off-site copies.

Importantly, please remember that not all ransomware is made alike.

In particular, viral ransomware of the Zcrypt sort doesn’t work on a one-email-one-sample-one-potential-victim model.

In other words, after you’ve had one infection, other victims may later get infected too, even though they never received a malicious email, or clicked a malicious link, or downloaded a malicious file.

Even after a single report of this malware, consider doing an on-demand or overnight virus scan of your file servers to make sure that it hasn’t left copies of itself lying around, hoping to snare additional victims later on.