As per the recent update on ransomware attacks, this new ZRYPT ransomware family only targets systems with newer versions of Windows, specifically Windows 7 and later. Is ZCRYPT deliberately cutting of older operating systems, or is it just poorly-written malware? The writers behind the new ZCRYPT ransomware family have either scrapped support for Windows XP, or did a sloppy job in creating it.
Exclusive Crypto-ransomware statement by Trend Micro:
When we came across ZCRYPT it first appeared to be a fairly nondescript threat. It encrypts the user’s files and uses the .ZCRYPT extension as its marker. It is capable of encrypting the following file formats:
.zip, .mp4, .avi, .wmv, .swf, .pdf, .sql, .txt, .jpeg, .jpg, .png, .bmp, .psd, .doc, .docx, .rtf, .xls, .xlsx, .odt, .ppt, .pptx, .xml, .cpp, .php, .aspx, .html, .mdb, .3fr, .accdb, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .dwg, .dxg, .eps, .erf, .indd, .kdc, .mdf, .mef, .nrw, .odb, .odp, .ods, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .pst, .ptx, .r3d, .raf, .raw, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .tar, .jsp, .mpeg, .msg, .log, .cgi, .jar, .class, .java, .bak, .pdb, .apk, .sav, .tar.gz, .emlx, .vcf
It makes the usual threats of deleting the files if the victim doesn’t pay up within a week. Ransom is set at 1.2 BTC (approximately 500 US dollars), with the ransom going up to 5 BTC (approximately 2,200 US dollars) after four days.
However, what it can do in systems with Windows 7 and later, it only tries with other systems. According to our analysis, it fails to either encrypt the files properly or display the ransom note when launched in an older version of Windows, such as Windows XP. The malware calls a function which does not exist in earlier versions of Windows; this breaks it for the older operating systems.
Interestingly, this particular family also tried to spread via USB flash disks: it plants a copy of itself onto removable drives. This is relatively unusual in crypto-ransomware; back in December of 2013 we identified a CryptoLocker variant which behaved similarly. It never seems to have caught on, however. Crypto-ransomware authors seem to be satisfied with distributing their wares via the most common means: malvertising and spam.
C&C Servers
The domain name of the command-and-control (C&C) server was poiuytrewq.ml, a reversal of qwertyuiop. This is the top alphabetical row on a standard QWERTY keyboard. The top-level domain .ml is assigned to Mali; registrations for domains under this TLD were given away for free starting in April 2013. (URLs that hosted ZCRYPT variants were also hosted on .ml domains.)
The threat actor also enjoyed free anonymity because the domain registration masked the actual identity of registrant. The C&C domain is already tagged “canceled, suspended, refused, or reserved”.
Industry Practices
Backing up is still the best defense against crypto-ransomware; the 3-2-1 rule ensures that users still have a copy of their data even if they are affected by similar threats. We strongly advise against paying the ransom; this only ensures that the threat will continue to become bigger and bigger.
Trend Micro says NO to ransomware. We strongly advise users not to pay ransom demands as it fuels cybercrime and promotes further propagation of ransomware.