Microsoft has released an alert today warning about a new ransomware variant called ZCryptor, which comes with the ability to self-propagate via removable and network drives.
A security researcher named Jack, behind the MalwareForMe blog, first discovered and wrote about this threat
on May 24. Three days later, Microsoft 's security team also took note of the new wave of infections.
“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior,” Microsoft's Malware Protection Center
alert reads. “This ransom leverages removable and network drives to propagate itself and affect more users.”
ZCryptor spread via macro malware and fake Flash updaters
The company says that crooks use fake installers, usually for Adobe Flash, along with macro-based booby-trapped Office files to distribute the Zcryptor ransomware.
Once the user installs the fake Adobe Flash update or allows an Office file to run macros, the Zcryptor ransomware is installed on the user's computer.
The first thing the ransomware does is to gain PC restart persistence by adding a key to the computer's registry. After this, it starts to encrypt files.
