Zcryptor: The conqueror worm

Zcryptor is a hybrid, part ransomware and part worm. It encrypts files and copies itself onto external media.

Analysts and researchers agree that 2016 is the year when ransomware went really big. Cybercrooks didn’t need much time to see the potential value of cryptolockers, and they readily added ransomware to their arsenals. To give you an idea of the profitability, Cisco researchers reported in 2015 that a single Angler exploit kit brings cybercriminals profits of up to $60 million annually, or on average $5 million every month!

The usual suspects of the modern ransomware market — Petya and his friend Mischa, as well as their distant relative, Locky — currently prey on users in more than 100 countries. Hackers recently started focusing more attention on enterprises and organizations in possession of valuable data: Lately, a number of US hospitals became victims of ransomware attacks.

The rise of cryptoworms

In their attempts to get as much money as possible, as soon as possible, cybercriminals seek ways to expand their attacks so they can further propagate their lockers. Malicious spam campaigns still work, but they are not as efficient as before; with cyberthreats getting coverage in the media, users are becoming more savvy and getting to know the most frequently used tricks.

In another important development, Web browsers and antiviruses have learned to detect and block malicious URLs or malware-laced spam. In response, hackers have gradually phased out their usual “carpet bombing” approach to malware distribution. Increasingly, they are turning to methods used long ago in the most widespread and efficient campaigns: good ol’ worms.

Researchers predict that the next stage of ransomware development will bring cryptoworms — a poisonous hybrid of self-propagating malware and ransomware. This new type of malware takes the best of both worlds to form a new species of ransomware that can copy and distribute itself by means of infected computers, efficiently encrypting files and demanding ransom.

The first such malware was SamSam, which sneaked onto a number of enterprise networks and infected computers on the networks as well as cloud storage containing backup copies.


This week, Microsoft detected a new sample of a cryptoworm, dubbed ZCryptor. It’s unique in that it both encrypts files and self-propagates to other computers and network devices without using malicious spam or an exploit kit. The malware copies itself onto connected computers and portable devices.

To infect the first victim, ZCryptor uses common techniques, masquerading as an installer of a popular program (e.g., Adobe Flash) or infiltrating the system through malicious macros in a Microsoft Office file.


Once inside the system, the cryptoworm infects external drives and flash drives so it can be distributed to other computers, and then starts to encrypt files. ZCryptor can encrypt more than 80 file formats (some sources say 120 formats) by adding a .zcrypt extension to the name of the file.

After that, the story revolves around a well-known scenario: Users see an HTML page informing them that their files are encrypted and available for a ransom — in this case, 1.2 bitcoins (about $650). If the users don’t pay that sum in four days, the ransom increases to 5 bitcoins (more than $2,500).

Unfortunately, experts have not been able to find way to decrypt the files and let the affected users bypass the ransom option. That means the only reasonable option for now is to be extra cautious and avoid infection.

Means of protection

If you want to be spared a ZCryptor attack, use these simple tips:

  • Update your operating system and software regularly, closing exploitable vulnerabilities and thus preventing the cryptoworm from travelling around your network.
  • Always be on alert and avoid suspicious websites; don’t open attachments coming from a murky source. In general, respect the basic rules of digital hygiene.
  • Disable macros in Microsoft Word — they are regaining popularity among cybercrooks as a means of dropping malware.
  • Regularly back up your files and store one copy on an external drive that you then disconnect from your PC. Although backed-up files do not prevent ransomware from infecting your system they are solid protection: If you have your valuable data at hand, there’s no reason to pay ransom.

Finally, of course, use reliable protection software. Kaspersky Internet Security detects ZCryptor as Trojan-Ransom.MSIL.Geograph and protects users from this threat.