/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2015/06/ID-10067341.jpg)
The analysts at Trend Micro found that the new ZRYPT ransomware family only targets systems with newer versions of Windows, specifically Windows 7 and later.
The malware calls a function which does not exist in earlier versions of Windows; this breaks it for the older operating systems. It fails to either encrypt the files properly or display the ransom note when launched in an older version of Windows, such as Windows XP.
ZCRYPT it first appeared to be a fairly nondescript threat. It encrypts the user’s files and uses the .ZCRYPT extension as its marker.
It makes the usual threats of deleting the files if the victim doesn’t pay up within a week. Ransom is set at 1.2 BTC (approximately 500 US dollars), with the ransom going up to 5 BTC (approximately 2,200 US dollars) after four days.
The ransom note looks like this:
/ciol/media/post_attachments/7cd634e74d9eb33ccbf4b96a490ad61e9cd531e8724657cf78ce108cd2b8c21c.png "publive-image")
It is capable of encrypting the following file formats:
.zip, .mp4, .avi, .wmv, .swf, .pdf, .sql, .txt, .jpeg, .jpg, .png, .bmp, .psd, .doc, .docx, .rtf, .xls, .xlsx, .odt, .ppt, .pptx, .xml, .cpp, .php, .aspx, .html, .mdb, .3fr, .accdb, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .dwg, .dxg, .eps, .erf, .indd, .kdc, .mdf, .mef, .nrw, .odb, .odp, .ods, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .pst, .ptx, .r3d, .raf, .raw, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .tar, .jsp, .mpeg, .msg, .log, .cgi, .jar, .class, .java, .bak, .pdb, .apk, .sav, .tar.gz, .emlx, .vcf
The threat actor also enjoyed free anonymity because the domain registration masked the actual identity of registrant.
Interestingly, this particular family also tried to spread via USB flash disks: it plants a copy of itself onto removable drives. This is relatively unusual in crypto-ransomware;
Crypto-ransomware authors seem to be satisfied with distributing their wares via the most common means: malvertising and spam.
Backing up is still the best defense against crypto-ransomware; Trend Micro advises users to follow the 3-2-1 rule which is the accepted rule for backup best practices and ensures that users still have a copy of their data even if they are affected by similar threats. For example, if you’re backing something up, you should have:
-At least three copies,
-In two different formats,
-with one of those copies off-site.