Microsoft Warns of ZCryptor Ransomware With Self-Propagation Features

An anonymous reader writes from a report issued by Softpedia on May 27: Microsoft and several other security researchers have detected the first ransomware versions that appears to have self-propagation features, being able to spread to other machines on its own by copying itself to shared network drives or portable storage devices automatically. Called ZCryptor, this ransomware seems to enjoy quite the attention from crooks, who are actively distributing today via Flash malvertising and boobytrapped Office files that infect the victim if he enables macro support when opening the file. This just seems to be the latest addition to the ransomware family, one which recently received the ability to launch DDoS attacks while locking the user's computer.

Microsoft would know

They're the king of ransomware, forcing Windows 10 installations.

Ahhhh

[Adambomb]

Good old retro boot sector viruses.

They still don't get the difference between code..

and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

Block all Adverts now to protect yourself.

[Lumpy]

More proof that everyone should be using an adblocker to keep their computer and friends computers safe.

Dear website owners.... WAHH about your lost revenue. start hosting the ad's on your own servers and VET THEM to be safe and not an attack vector.

Pray to whatever god you worship

[millertym]

This stuff is nasty.

1- Have spotless offline backups of everything
2- Lock down share permissions
3- Lock down admins on permissions domain level
4- Lock down admins on local machine level
5- Pray

I had to deal with this garbage once earlier this year on a custom domain with awful permissions management. It was bad enough from a single source\spread to shares perspective. I can't imagine the damn thing acting like a worm at the same time. Potentially career ending because 1- your enterprise gets owned so hard and 2- you never want to touch a computer again once you have to try to clean it up.

Re:Pray to whatever god you worship

There is an additional step you want to consider in an enterprise. Notice from the write-up that this one adds itself to the RUN key to ensure persistence. Most malware / crapware that isn't root kit style does this. The key "HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run" should be set to require administrator access to change. That simple change prevents this from getting persistence (and, depending on how the author wrote it, may cause it to fail to encrypt - as you notice the writeup says that setting this key is the first thing it does).

Re:Pray to whatever god you worship

Let me tell you what it's like working in infosec in a large organization.

Me: We need to remove some of these global admin accounts, they can access literally everything, change group policy, delete all 500+ of our file servers around the globe.
Manager: No we need meetings to do this and a change request process and team to make sure all the players are onboard. Also we cannot spend any money doing this, cannot schedule any employee hours to do this so you'll be doing it on your own time without getting paid. If anything at all goes even the slightest bit wrong, we'll blame you.
High level manager: I'm not giving up my access to everything
Manager: okay so Anonymous Coward you can remove all of the 'extra' global admin accounts besides the ones on this list
(Some giant disaster happens because some Director of Finance or something downloaded malware and then logged into the domain with his global admin account)
Manager: WHAT THE FUCK ANONYMOUS COWARD, HOW COULD YOU HAVE LET THIS HAPPEN?

Me: we need to implement security policy X (example: no badge access to data rooms unless you're a sysadmin or otherwise need it)
Manager: No we need meetings to do this and a change request process and team to make sure all the players are onboard. Also we cannot spend any money doing this, cannot schedule any employee hours to do this so you'll be doing it on your own time without getting paid. If anything at all goes even the slightest bit wrong, we'll blame you.
High level manager: What do you mean I won't have badge access to the server room? I'm the warehouse manager, my job has nothing to do with IT or servers, but my badge HAS to work on that door because I AM THE MANAGER!
Manager: okay so Anonymous Coward you can remove badge access to all the 'extra' badges besides the ones on this list
(Some giant disaster happens because the Warehouse Manager badged into the server room, unplugged all four network cables on the production server and then drove home while everything had a meltdown)
Manager: WHAT THE FUCK ANONYMOUS COWARD HOW COULD YOU HAVE LET THIS HAPPEN?

maybe its time to put msoffice into a VM?

[TheGratefulNet]

a VM can be contained pretty well. I was used to installing office on my local pc, but now I'm starting to think its going to be safer inside a VM and I'll just run the VM for the few times I have to actually edit word docs. viewing them is ok on libreoffice or similar, but I would not use the free versions to edit ms docs (sigh).

Re:maybe its time to put msoffice into a VM?

[campuscodi]

Or use OpenOffice or LibreOffice instead. Heck, even Google Docs is better now.

Re:maybe its time to put msoffice into a VM?

How does this help, if the malware spreads via network shares? If the Office has access to the shares, which is quite handy for editing files in them, it is also possible for it to spread the malware.

BREAKING NEWS

BREAKING NEWS: Microsoft warns about a new self-installing malware called "Windows 10"

Re: I heard

[cbiltcliffe]

Angry much?

Of course he is. He got force upgraded to Windows 10.

Yet another reason

[FrozenGeek]

not to use flash. I understand that there are many companies with a significant investment in flash-based code. But flash has proven to be a persistent security hole. HTML 5 is a viable alternative to flash. time for those companies to suck it up.

Re: A permanent solution

[mspohr]

Might be easier to just install Linux.

Re:They still don't get the difference between cod

[yuna49]

At one client's site an enduser got such a document. It requested that the recipient click the button to enable active content. Of course someone did just that and promptly got infected. Now we just block all macro-enabled documents with clamd.