Microsoft Warns of ZCryptor Ransomware With Self-Propagation Features

An anonymous reader writes from a report issued by Softpedia on May 27: Microsoft and several other security researchers have detected the first ransomware versions that appears to have self-propagation features, being able to spread to other machines on its own by copying itself to shared network drives or portable storage devices automatically. Called ZCryptor, this ransomware seems to enjoy quite the attention from crooks, who are actively distributing today via Flash malvertising and boobytrapped Office files that infect the victim if he enables macro support when opening the file. This just seems to be the latest addition to the ransomware family, one which recently received the ability to launch DDoS attacks while locking the user's computer.

Microsoft would know

They're the king of ransomware, forcing Windows 10 installations.

Re:Microsoft would know

[DeathElk]

Why mod troll? It is a well documented fact that Microsoft will change your computer operating system through subterfuge, which for many users has caused software and/or hardware to malfunction.

Re: Microsoft would know

it's modded troll because this site now runs on Windows 10 professional home server and it's the best os virus in the world - it was free!

Ahhhh

[Adambomb]

Good old retro boot sector viruses.

Re: Ahhhh

FORM.D FTW

Minor correction to TFS

Microsoft and several other security researchers have detected the first Microsoft Windows ransomware versions that appears to have self-propagation features, being able to spread to other Microsoft Windows machines on its own by copying itself to shared Microsoft Windows network drives or portable storage devices automatically. Called ZCryptor, this Microsoft Windows ransomware seems to enjoy quite the attention from crooks, who are actively distributing today via Microsoft Windows Flash malvertising and boobytrapped Microsoft Windows Office files that infect the Microsoft Windows victim if he enables macro support when opening the file. This just seems to be the latest addition to the Microsoft Windows ransomware family, one which recently received the ability to launch DDoS attacks while locking the Microsoft Windows user's computer.

Re:Minor correction to TFS

"...infect the Microsoft Windows victim if *he* enables..."?

Now now, let's not pretend that women don't get viruses.

Re:Minor correction to TFS

That's right. In the interest of inclusiveness, malware authors should start producing yeast infections.

Re:Minor correction to TFS

Devil's advocate: One of the reasons Windows is attacked so often is because it is the front runner in operating systems, and malware writers would have to "retool" and gain new experience to focus on other operating systems. I'm reminded of pre-2000 where people were kvetching about Solaris holes left and right, with people saying the same things about Sun that they now bash MS for.

Does MS do some things that can be considered objectionable? Yes. I shouldn't have to install a third party utility or push GPOs out on a domain to prevent an upgrade. However, Windows is pretty good with the security features, especially at the enterprise level. AppLocker is a very good tool to keep ransomware at bay, not to mention software for endpoint backups that "pull" the data (so malware can't access the backup repository.)

I heard

It disguises itself as the Windows 10 upgrade notification.

Re: I heard

Angry much?

Re: I heard

[cbiltcliffe]

Angry much?

Of course he is. He got force upgraded to Windows 10.

Re: I heard

[Opportunist]

Yes, but back then I clicked it away so it had to return in disguise again and now I can't decide if closing it would just close or install it.

They still don't get the difference between code..

and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

Does it stop Win 10 "upgrade"?

Does this, by chance, stop the Windows 10 "upgrade"? If so, could someone kindly direct me to a site where I can acquire this fine piece of software?

Block all Adverts now to protect yourself.

[Lumpy]

More proof that everyone should be using an adblocker to keep their computer and friends computers safe.

Dear website owners.... WAHH about your lost revenue. start hosting the ad's on your own servers and VET THEM to be safe and not an attack vector.

Re: Block all Adverts now to protect yourself.

Ad blocker isn't the answer. Ms also has its own setting that over ride the ad blocker settings. Adblocker does not work in the new explorer, and update will change you settings without your permission. So what else is new?

Re: Block all Adverts now to protect yourself.

LMHOSTS

Re: Block all Adverts now to protect yourself.

Use a real web browser? Chrome has process isolation. Firefox has extensions like NoScript that can keep stuff at bay.

Re: Block all Adverts now to protect yourself.

[Opportunist]

...which is fine until there is a bug in either of them that allows an exploit to run...

Which is in 99% of infections actually the case. What did you think was happening? Duh!

Ransomware |= Malware?

MS is already on the end-game push for the Windows store (RIP Windows Phone.. time to find an Android phone for me) and has already sent out ransomware/malware called the Get Windows 10 update and now calls foul? To quote Phoebe from "Friends"

"Friends: The One with All the Poker (#1.18)" (1995)
Phoebe: I just realized something. Joker is poker with a j... coincidence?
Chandler: Hey, that's "joincidence"... with a c.

Rachel: God, could you believe what a jerk Ross was being?
Monica: Oh I know he can get really competitive.
Phoebe: [laughs]
Monica: What?
Phoebe: [pretends to pick up a phone] Hello kettle? This is Monica. You're black!

Pray to whatever god you worship

[millertym]

This stuff is nasty.

1- Have spotless offline backups of everything
2- Lock down share permissions
3- Lock down admins on permissions domain level
4- Lock down admins on local machine level
5- Pray

I had to deal with this garbage once earlier this year on a custom domain with awful permissions management. It was bad enough from a single source\spread to shares perspective. I can't imagine the damn thing acting like a worm at the same time. Potentially career ending because 1- your enterprise gets owned so hard and 2- you never want to touch a computer again once you have to try to clean it up.

Re:Pray to whatever god you worship

So you did your due diligence and took the time to actually apply the recommended steps to secure your systems. Bravo. It seems everyone else just sits around complaining about weak security.
And the one thing that bothers me is that those who develop these types of virus's are always two steps ahead of those claiming to be security experts. All the so called experts and security researches seem to do is postmortem's after the virus has already started reeking havoc.

Re: Pray to whatever god you worship

[mspohr]

But does it run on Linux?

Re:Pray to whatever god you worship

There is an additional step you want to consider in an enterprise. Notice from the write-up that this one adds itself to the RUN key to ensure persistence. Most malware / crapware that isn't root kit style does this. The key "HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run" should be set to require administrator access to change. That simple change prevents this from getting persistence (and, depending on how the author wrote it, may cause it to fail to encrypt - as you notice the writeup says that setting this key is the first thing it does).

Re:Pray to whatever god you worship

[sabbede]

Oh, good catch! That can also be disabled entirely via group policy, though I forget exactly what it's called. 'Disable access to classic run' or somesuch.

Re:Pray to whatever god you worship

There is always using AppLocker to disallow unsigned programs from running. Locking down admins is doable, but then you have to go install a user's printer, mount their TrueCrypt filesystem, or other basic tasks, which is OK for most departments, but the sales guys will be complaining to management that IT is keeping them from doing their job and the firm's revenue stream can be affected, if they don't get full rights. AppLocker is more palatable, and if someone is trying to install an unsigned application, it is much harder for them to convince IT about it, especially after MS True-Up time.

Re:Pray to whatever god you worship

[The-Ixian]

How about just whitelisting applications on your network to locations that user's don't have write access to?

Re:Pray to whatever god you worship

Let me tell you what it's like working in infosec in a large organization.

Me: We need to remove some of these global admin accounts, they can access literally everything, change group policy, delete all 500+ of our file servers around the globe.
Manager: No we need meetings to do this and a change request process and team to make sure all the players are onboard. Also we cannot spend any money doing this, cannot schedule any employee hours to do this so you'll be doing it on your own time without getting paid. If anything at all goes even the slightest bit wrong, we'll blame you.
High level manager: I'm not giving up my access to everything
Manager: okay so Anonymous Coward you can remove all of the 'extra' global admin accounts besides the ones on this list
(Some giant disaster happens because some Director of Finance or something downloaded malware and then logged into the domain with his global admin account)
Manager: WHAT THE FUCK ANONYMOUS COWARD, HOW COULD YOU HAVE LET THIS HAPPEN?

Me: we need to implement security policy X (example: no badge access to data rooms unless you're a sysadmin or otherwise need it)
Manager: No we need meetings to do this and a change request process and team to make sure all the players are onboard. Also we cannot spend any money doing this, cannot schedule any employee hours to do this so you'll be doing it on your own time without getting paid. If anything at all goes even the slightest bit wrong, we'll blame you.
High level manager: What do you mean I won't have badge access to the server room? I'm the warehouse manager, my job has nothing to do with IT or servers, but my badge HAS to work on that door because I AM THE MANAGER!
Manager: okay so Anonymous Coward you can remove badge access to all the 'extra' badges besides the ones on this list
(Some giant disaster happens because the Warehouse Manager badged into the server room, unplugged all four network cables on the production server and then drove home while everything had a meltdown)
Manager: WHAT THE FUCK ANONYMOUS COWARD HOW COULD YOU HAVE LET THIS HAPPEN?

Re: Pray to whatever god you worship

Don't get too cocky. Linux isn't immune to bugs and Linux ransomware may be next.

Re: Pray to whatever god you worship

[Opportunist]

Not if you don't run Samba so your Windows box can access files...

maybe its time to put msoffice into a VM?

[TheGratefulNet]

a VM can be contained pretty well. I was used to installing office on my local pc, but now I'm starting to think its going to be safer inside a VM and I'll just run the VM for the few times I have to actually edit word docs. viewing them is ok on libreoffice or similar, but I would not use the free versions to edit ms docs (sigh).

Re:maybe its time to put msoffice into a VM?

[campuscodi]

Or use OpenOffice or LibreOffice instead. Heck, even Google Docs is better now.

Re:maybe its time to put msoffice into a VM?

It's almost like you didn't read the whole comment before replying. I like the last sentence.

Re:maybe its time to put msoffice into a VM?

How does this help, if the malware spreads via network shares? If the Office has access to the shares, which is quite handy for editing files in them, it is also possible for it to spread the malware.

Re:maybe its time to put msoffice into a VM?

I'm actually working on installing Qubes this week to try out their VM isolation system. Apparently you can run windows VMs in it, in the current version if you set it up right you can even display rootless windows. If the rest of the Qubes tools work with windows, then you can inject a single specific file into the VM, edit the document, then retrieve the single specific file from the VM, then when the VM shuts down any changes from the template image are lost.

In other words, I right click a file, choose "open in office VM", and Qubes does so. At least, that seems to be the promise. (I'd love to see if theres a way to see the changes that were made, maybe it could work as a virus scanner: open documents in a VM until files that shouldn't be touched get touched, mark that document as a virus, then continue with a fresh VM.)

Re:maybe its time to put msoffice into a VM?

[tgharold]

That's been my preference for the last year. KVM on Linux now has snapshot support built-in, and OS X Parallels has had it for a while. So about once a month, I'll make a snapshot and label it "good" with some notes. If there's ever trouble, I can rollback to that snapshot.

For the host operating system, files get written to a backup location via SSH, using a SSH key that can only run the backup program (borg-backup) on the destination server. I have yet to see anything that targets backup software that operates in that fashion (it would need to understand that backups happen via SSH and find a vulnerability in the backup software command on the target).

And the final layer of defense, backups that are on encrypted external drives that go offsite weekly.

BREAKING NEWS

BREAKING NEWS: Microsoft warns about a new self-installing malware called "Windows 10"

Disable Flash too

[duke_cheetah2003]

That convinced me to disable Flash forever. No way I want that kind of crap sneaking onto my PC.

Yet another reason

[FrozenGeek]

not to use flash. I understand that there are many companies with a significant investment in flash-based code. But flash has proven to be a persistent security hole. HTML 5 is a viable alternative to flash. time for those companies to suck it up.

A permanent solution

I have a permanent solution to this crap once and for all. Hunt them down, all of them, and then execute them publicly on Pay Per View. Because we're sick of this stupid shit.

Re: A permanent solution

[mspohr]

Might be easier to just install Linux.

Re: A permanent solution

[NewtonsLaw]

Why would I want to install Linux - it's already installed and running on my machines :-)

Re: A permanent solution

[mspohr]

Then why are you going full agro?

Re: A permanent solution

[perryizgr8]

And end up in a situation like Android Linux, which has more malware than Windows ever had.

Re: A permanent solution

I suspect you're asking the wrong person.

Re:A permanent solution

I have a permanent solution to this crap once and for all. Hunt them down, all of them, and then execute them publicly on Pay Per View. Because we're sick of this stupid shit.

I torrent everything, but I'd pay to see that!

Re: A permanent solution

Because I'm a farmer!

Re:They still don't get the difference between cod

I'm curious, what exactly would the difference in a document be between code and data, or preferably how would your implementation look like to prevent executing malware?

Stuxnet features?

Given that this sounds like some of the propagation features of stuxnet, I'm wondering if some of it's "features' have been reverse engineered or copied into this worm. It's something I've wondered about, ever since reading about stuxnet, that the features in it would be propagated to the larger criminal world.

Why not sandbox Office and Office macros?

[jonwil]

Given the number of viruses out there that use Microsoft Office documents as a transmission vector, why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

Web browsers sandbox JavaScript code these days to prevent exploits and improve security, why not do the same for Office documents?

That way, rogue macros can't download and install further malware or access data files all over the disk or mess with Windows system folders/files/data.

Re:Why not sandbox Office and Office macros?

[gnupun]

why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

My guess would be (a) the high cost of redesigning the macro subsystem and (b) users bitching and moaning when new macro language breaks their old scripts -- it would be Y2K all over again.

Re:They still don't get the difference between cod

[tommeke100]

The issue stays the same. If you have data in the file that gets interpreted a certain way ( say, for formatting, a malformed URL, weird characters, ...), but the interpretation is buggy and prone to buffer-overflows or other when reading the wrong data, you're still at risk.

Propagation

[ACE209]

This one tries to propagate almost as hard as the Windows Update.

Past proper propagation probably plethoras of problems perceived.

They that out loud three times.

Re:Propagation

[Opportunist]

I did.

'scuse me, gotta find wipes for the screen.

Virtual Machine

The only "safe" way to run Microsoft software, is inside a very tightly controlled virtual machine.

-No access to hardware directly
-No access to the network - ever
-No access to more files than it absolutely needs

ie: I have a scratch USB drive that I use for any MSFT related activities. It is scanned by Linux AntiVirus, and only the files I absolutely need the MSFT software to see are present.

That way, the MSFT software can not corrupt my files with its Digital-Restrictions-Management, or any other malware.

MSFT Software runs great, I'd say even better on a virtual machine, than native hardware. MSFT deals much better with a simplified hardware model than it does with real hardware. Sound works, video works, suspend and sleep even work!

Since the hardware is much simpler, windows driver updates don't break the hardware.

There is no real BIOS for MSFT to corrupt, no disks that it can break, etc.

Are we sure the origins are unknown?

From TFA:

To help stay protected: ... Upgrade to Windows 10.

Given the underhanded tactics already employed by Microsoft, one can't help but wonder...

Re:They still don't get the difference between cod

[David_Hart]

and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

By default the latest Office programs save files in a format that prevents macros from running. You have to specifically change the file type to allow macros. When you open macro enabled office files, it will, by default, disable active content and show a warning box. You have to actually click on the box to allow macros and vbscript.

Good thing MS spooked folks into disabling updates

Good thing that Microsoft's strongarm tactics trying to force Win 10 upgrades resulted in some people permanently disabling Windows Update on their boxes.

Not only will those people get owned, but their machines can act as distribution centers to attack other machines, including distributing future malware even if MS releases a patch to help protect against this.

500 Rupees have been deposited into Satya Nadella's account care of the Russian malware alliance.

Re:They still don't get the difference between cod

[myowntrueself]

I'm curious, what exactly would the difference in a document be between code and data, or preferably how would your implementation look like to prevent executing malware?

Because the word processor or spreadsheet doesn't have any ability to execute anything outside of its own document?

Why the fucking fuck would a word processor or spreadsheet need to execute anything or operate in any way outside of their own document? What could possibly go wrong? Oh... wait...

Microsoft the security researcher

[khz6955]

Have Microsoft ever considered looking at their own Source Code. Considering Microsoft is primarily responsible for the malware infestation. That would be like describing Dr. Hannibal Lecter as a food nutritionist researcher.

Re:Microsoft the security researcher

[Opportunist]

Not really anymore. The primary infection vector today are rather third party software packages that are so omnipresent that they can as well be considered part of the OS while having a WAY worse security record than MS. Adobe being probably the worst offender, the currently biggest infection vector being Flash and Acrobat Reader.

Bitdefender Anti-Ransomware is looking good

Direct Download from official site:
http://download.bitdefender.co...

It may not stop ALL ransomware, but it receives updates and protects against some of them. The link above will probably remain the same throughout new versions/updates. It will launch and appear in your tray once you install and reboot your computer. I like it, it's simple and free(ware). I wish it was open source though.

Re:They still don't get the difference between cod

[chispito]

After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

Except by default "they" do not allow it. You must enable macro support after clicking through warnings. You may also download whatever binary you want and click through the warning advising you the certificate, issued to "Skripty and the Kidz" is not trusted.

Re:They still don't get the difference between cod

[yuna49]

At one of my clients, we use MailScanner plus clamd to scan incoming mail. Clamd has a switch to treat all Office files with macros as viruses so they get sent to quarantine. At this particular client no one has the need to exchange macro-enabled Office files so this is an effective defense. Of course, other organizations might have valid uses for such files. I'd solve that by whitelisting particular senders while continuing to ban any other macro-enabled Office documents.

Re:They still don't get the difference between cod

[yuna49]

At one client's site an enduser got such a document. It requested that the recipient click the button to enable active content. Of course someone did just that and promptly got infected. Now we just block all macro-enabled documents with clamd.

Candidates for Darwin Award

[CmdrTamale]

It's evolution in action.