Ransom:Win32/ZCryptor.A

Installation

Ransom:Win32/ZCryptor.A  is distributed through the spam email infection vector. It also gets installed in your machine through other macro malware*, or fake installers (Flash Player setup).

Once ZCryptor is executed, it will make sure it runs at start-up:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

zcrypt = {path of the executed malware}

It will also drop these files in the %appdata% folder:

• cid.ztxt - unique user ID
• private.key - points to a key that is unavailable at the moment.
• public.key - points to a key that is unavailable at the moment.

It has worm self-replicating behavior that will also enumerate network drives, logical drives.

It also attempts to drops an autorun.inf file in removable drives, a zycrypt.lnk in the start-up folder:

%User Startup%\zcrypt.lnk

..along with a copy of itself as {Drive}:\system.exe and %appdata%\zcrypt.exe, and changes the file attributes to hide itself from the user in file explorer.

For example: c:\users\administrator\appdata\roaming\zcrypt.exe

Payload

Encrypts files

After it executes, this ransomware encrypts the following file types with the following extension, and changes the file extension to .zcrypt once it is done (for example,<originalfilename.zcrypt>):

This ransomware will display the following ransom note to users in a dropped HTML file How to decrypt files.html:

Figure 1: Screenshot of the ransom note. 

Connects to a remote host

We have also seen this ransomware connect to the following URL. However, the domain is already down when we were testing:

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %AppData%\cid.ztxt

For example, c:\users\administrator\appdata\roaming\cid.ztxt 

Creates a mutex

Infected machines are noticed to have zcrypt1.0 mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.

Analysis by: Edgardo Diaz and  Marianne Mallen