{"id":6321,"date":"2017-01-23T15:50:21","date_gmt":"2017-01-23T23:50:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-159\/"},"modified":"2017-01-23T15:50:21","modified_gmt":"2017-01-23T23:50:21","slug":"news-159","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-159\/","title":{"rendered":"Link (.lnk) to Ransom"},"content":{"rendered":"<p>We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/ZCryptor.A\" target=\"_blank\">Ransom:Win32\/ZCryptor.A<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<h3>Infection vector<\/h3>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/ZCryptor.A\" target=\"_blank\">Ransom:Win32\/ZCryptor.A<\/a>\u00a0 is distributed through the spam email infection vector. It also gets installed in your machine through other <a href=\"https:\/\/www.microsoft.com\/security\/portal\/enterprise\/threatreports_july_2015.aspx\">macro malware<\/a>*, or fake installers (Flash Player setup).<\/p>\n<p>Once ZCryptor is executed, it will make sure it runs at start-up:<\/p>\n<p style=\"padding-left: 30px\">HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun<\/p>\n<p style=\"padding-left: 30px\"><em>zcrypt = {path of the executed malware}<\/em><\/p>\n<p>&nbsp;<\/p>\n<p>It also drops <em>autorun.inf<\/em> in removable drives, a <em>zycrypt.lnk<\/em> in the start-up folder:<\/p>\n<p style=\"padding-left: 30px\"><em>%User Startup%zcrypt.lnk<\/em><\/p>\n<p>..along with a copy of itself as <em>{Drive}:system.exe<\/em> and <span class=\"notranslate\"><a title=\"Default location for the variable folder &quot;%APPDATA%&quot;\" href=\"..\/..\/mmpc\/shared\/variables.aspx#appdata\" target=\"_blank\"><em>%APPDATA%<\/em><\/a><\/span><em>zcrypt.exe,<\/em> and changes the file attributes to hide itself from the user in file explorer.<\/p>\n<p>For example: <em>c:usersadministratorappdataroamingzcrypt.exe<\/em><\/p>\n<h3>Payload<\/h3>\n<p>This ransomware will display the following ransom note to users in a dropped HTML file <strong>How to decrypt files.html<\/strong>:<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/Z2.png\"><img loading=\"lazy\" decoding=\"async\" width=\"889\" height=\"355\" class=\"alignnone wp-image-7425 \" alt=\"Screenshot of Win32\/ZCryptor.A ransom note\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/Z2-1024x426.png\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>It will also target, encrypt files with the following extension, and change the file extension to <em>.zcrypt<\/em> once it is done (for example,&lt;originalfilename.zcrypt&gt;):<\/p>\n<table width=\"351\">\n<tbody>\n<tr>\n<td width=\"89\"><em>.accdb<\/em><\/td>\n<td width=\"91\"><em>.dwg<\/em><\/td>\n<td width=\"88\"><em>.odb<\/em><\/td>\n<td width=\"83\"><em>.raf<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.apk<\/em><\/td>\n<td width=\"91\"><em>.dxg<\/em><\/td>\n<td width=\"88\"><em>.odp<\/em><\/td>\n<td width=\"83\"><em>.raw<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.arw<\/em><\/td>\n<td width=\"91\"><em>.emlx<\/em><\/td>\n<td width=\"88\"><em>.ods<\/em><\/td>\n<td width=\"83\"><em>.rtf<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.aspx<\/em><\/td>\n<td width=\"91\"><em>.eps<\/em><\/td>\n<td width=\"88\"><em>.odt<\/em><\/td>\n<td width=\"83\"><em>.rw2<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.avi<\/em><\/td>\n<td width=\"91\"><em>.erf<\/em><\/td>\n<td width=\"88\"><em>.orf<\/em><\/td>\n<td width=\"83\"><em>.rwl<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.bak<\/em><\/td>\n<td width=\"91\"><em>.gz<\/em><\/td>\n<td width=\"88\"><em>.p12<\/em><\/td>\n<td width=\"83\"><em>.sav<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.bay<\/em><\/td>\n<td width=\"91\"><em>.html<\/em><\/td>\n<td width=\"88\"><em>.p7b<\/em><\/td>\n<td width=\"83\"><em>.sql<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.bmp<\/em><\/td>\n<td width=\"91\"><em>.indd<\/em><\/td>\n<td width=\"88\"><em>.p7c<\/em><\/td>\n<td width=\"83\"><em>.srf<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.cdr<\/em><\/td>\n<td width=\"91\"><em>.jar<\/em><\/td>\n<td width=\"88\"><em>.pdb<\/em><\/td>\n<td width=\"83\"><em>.srw<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.cer<\/em><\/td>\n<td width=\"91\"><em>.java<\/em><\/td>\n<td width=\"88\"><em>.pdd<\/em><\/td>\n<td width=\"83\"><em>.swf<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.cgi<\/em><\/td>\n<td width=\"91\"><em>.jpeg<\/em><\/td>\n<td width=\"88\"><em>.pdf<\/em><\/td>\n<td width=\"83\"><em>.tar<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.class<\/em><\/td>\n<td width=\"91\"><em>.jpg<\/em><\/td>\n<td width=\"88\"><em>.pef<\/em><\/td>\n<td width=\"83\"><em>.tar<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.cpp<\/em><\/td>\n<td width=\"91\"><em>.jsp<\/em><\/td>\n<td width=\"88\"><em>.pem<\/em><\/td>\n<td width=\"83\"><em>.txt<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.cr2<\/em><\/td>\n<td width=\"91\"><em>.kdc<\/em><\/td>\n<td width=\"88\"><em>.pfx<\/em><\/td>\n<td width=\"83\"><em>.vcf<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.crt<\/em><\/td>\n<td width=\"91\"><em>.log<\/em><\/td>\n<td width=\"88\"><em>.php<\/em><\/td>\n<td width=\"83\"><em>.wb2<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.crw<\/em><\/td>\n<td width=\"91\"><em>.mdb<\/em><\/td>\n<td width=\"88\"><em>.png<\/em><\/td>\n<td width=\"83\"><em>.wmv<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.dbf<\/em><\/td>\n<td width=\"91\"><em>.mdf<\/em><\/td>\n<td width=\"88\"><em>.ppt<\/em><\/td>\n<td width=\"83\"><em>.wpd<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.dcr<\/em><\/td>\n<td width=\"91\"><em>.mef<\/em><\/td>\n<td width=\"88\"><em>.pptx<\/em><\/td>\n<td width=\"83\"><em>.xls<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.der<\/em><\/td>\n<td width=\"91\"><em>.mp4<\/em><\/td>\n<td width=\"88\"><em>.psd<\/em><\/td>\n<td width=\"83\"><em>.xlsx<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.dng<\/em><\/td>\n<td width=\"91\"><em>.mpeg<\/em><\/td>\n<td width=\"88\"><em>.pst<\/em><\/td>\n<td width=\"83\"><em>.xml<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.doc<\/em><\/td>\n<td width=\"91\"><em>.msg<\/em><\/td>\n<td width=\"88\"><em>.ptx<\/em><\/td>\n<td width=\"83\"><em>.zip<\/em><\/td>\n<\/tr>\n<tr>\n<td width=\"89\"><em>.docx<\/em><\/td>\n<td width=\"91\"><em>.nrw<\/em><\/td>\n<td width=\"88\"><em>.r3d<\/em><\/td>\n<td width=\"83\"><em>.3fr<\/em><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>Infected machines are noticed to have <em>zcrypt1.0<\/em> mutex. The mutex denotes that an instance of this ransomware is already running in the infected machine.<\/p>\n<p>We have also seen a connection to the following URL. However, the domain is already down when we were testing:<\/p>\n<p><em>http:\/\/&lt;obfuscated&gt;\/rsa\/rsa.php?computerid={Computer_ID}<\/em> where the {Computer_ID} is entry found inside a dropped file <span class=\"notranslate\"><a title=\"Default location for the variable folder &quot;%APPDATA%&quot;\" href=\"..\/..\/mmpc\/shared\/variables.aspx#appdata\" target=\"_blank\"><em>%APPDATA%<\/em><\/a><\/span><em>cid.ztxt<\/em><\/p>\n<p>For example, <em>c:usersadministratorappdataroamingcid.ztxt<\/em><\/p>\n<h3>Prevention<\/h3>\n<p>To help stay protected:<\/p>\n<ul>\n<li>Keep your Windows Operating System and antivirus <a href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/help\/updatesoftware.aspx\">up-to-date<\/a>.\u00a0Upgrade to <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-upgrade\">Windows 10<\/a>.<\/li>\n<li>Regularly back-up your files in an external hard-drive<\/li>\n<li>Enable file history or system protection. In your Windows 10 or Windows 8.1 devices, you must have your file history enabled and you have to <a href=\"https:\/\/support.microsoft.com\/en-au\/help\/17128\/windows-8-file-history\" target=\"_blank\">setup a drive for file history<\/a><\/li>\n<li>Use OneDrive for Business<\/li>\n<li>Beware of <a href=\"https:\/\/blogs.technet.microsoft.com\/office365security\/how-to-review-and-mitigate-the-impact-of-phishing-attacks-in-office-365\/\">phishing emails<\/a>, spams, and clicking malicious attachment<\/li>\n<li><a href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/\">Use Microsoft Edge to get SmartScreen protection<\/a>. It will prevent you from browsing sites that are known to be hosting exploits, and protect you from socially-engineered attacks such as phishing and malware downloads.<\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/02\/24\/locky-malware-lucky-to-avoid-it\/\">Disable the loading of macros in your Office programs<\/a><\/li>\n<li>Disable your Remote Desktop feature whenever possible<\/li>\n<li>Use two factor authentication<\/li>\n<li>Use a safe internet connection<\/li>\n<li>Avoid browsing web sites that are known for being malware breeding grounds (illegal download sites, porn sites, etc.)<\/li>\n<\/ul>\n<h3>Detection<\/h3>\n<ul>\n<li>Install, use, and regularly update an antivirus solution like <a href=\"http:\/\/www.microsoft.com\/security\/pc-security\/windows-defender.aspx\">Windows Defender<\/a> to detect ransomware.<\/li>\n<li>Enable <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2015\/01\/14\/maps-in-the-cloud-how-can-it-help-your-enterprise\/\">Microsoft Active Protection Service (MAPS<\/a>) to get the latest cloud-based ransomware detection and blocking.<\/li>\n<\/ul>\n<h3>Recovery<\/h3>\n<p>In Office 365\u2019s <a href=\"https:\/\/blogs.technet.microsoft.com\/office365security\/how-to-deal-with-ransomware\/\">How to deal with ransomware<\/a> blog, there are several options on how one can remediate or recover from a ransomware attack. Here are some of the few that are applicable for a home user or those in the information industry like you:<\/p>\n<ol>\n<li>Make sure you have backed-up your files.<\/li>\n<li>Recover the files in your device. If you have previously turned <strong>File History<\/strong> on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.<\/li>\n<\/ol>\n<h4><em>To restore your files or folders in Windows 10 and Windows 8.1:<\/em><\/h4>\n<ul>\n<li>Swipe in from the right edge of the screen, tap <strong>Search<\/strong> (or if you\u2019re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter \u201c<em>restore your files<\/em>\u201d in the search box, and then tap or click <strong>Restore your files with File History<\/strong>.<\/li>\n<li>Enter the name of file you\u2019re looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.<\/li>\n<li>Select what you want to restore to its original location, and then tap or click the <strong>Restore<\/strong> button. If you want to restore your files onto a different location than the original, press and hold, or right-click the <strong>Restore<\/strong> button, tap or click <strong>Restore To<\/strong>, and then choose a new location.<\/li>\n<\/ul>\n<p><em>Source: <\/em><a href=\"http:\/\/windows.microsoft.com\/en-US\/windows-8\/how-use-file-history\"><em>Restore files or folders using File History<\/em><\/a><\/p>\n<h4><em>To restore your files in Windows 7 and Windows Vista<\/em><\/h4>\n<ul>\n<li>Right-click the file or folder, and then click <strong>Restore<\/strong> previous versions. You\u2019ll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you\u2019re using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that\u2019s included in a library, right-click the file or folder in the location where it\u2019s saved, rather than in the library. For example, to restore a previous version of a picture that\u2019s included in the Pictures library but is stored in the <strong>My Pictures<\/strong> folder, right-click the <strong>My Pictures<\/strong> folder, and then click <strong>Restore previous versions<\/strong>. For more information about libraries, see Include folders in a library.<\/li>\n<li>Before restoring a previous version of a file or folder, select the previous version, and then click <strong>Open<\/strong> to view it to make sure it\u2019s the version you want. Note: You can\u2019t open or copy previous versions of files that were created by Windows Backup, but you can restore them.<\/li>\n<li>To restore a previous version, select the previous version, and then click <strong>Restore<\/strong>.<\/li>\n<\/ul>\n<p>Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the <strong>Restore<\/strong> button isn\u2019t available, you can\u2019t restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.<\/p>\n<p><em>Source: <\/em><a href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/previous-versions-files-faq\"><em>Previous versions of files: frequently asked questions <\/em><\/a><\/p>\n<p><strong>Important<\/strong>: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).<\/p>\n<p><strong><em>Warning<\/em><\/strong><em>: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.<\/em><\/p>\n<ol>\n<li>Recover your files in your OneDrive for Consumer\n<ul>\n<li><a href=\"https:\/\/support.office.com\/en-us\/article\/Find-lost-or-missing-files-in-OneDrive-0d929e0d-8682-4295-982b-4bd75a3daa01\">Find lost or missing files in OneDrive<\/a><\/li>\n<li><a href=\"https:\/\/support.office.com\/en-us\/article\/Delete-or-restore-files-and-folders-949ada80-0026-4db3-a953-c99083e6a84f\">Delete or restore files and folders<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Recover your files in your OneDrive for Business<\/li>\n<\/ol>\n<p style=\"padding-left: 30px\">If you use OneDrive for Business, it will allow you to recover any files you have stored in it. You can use either of the following options:<\/p>\n<h4 style=\"padding-left: 30px\"><em>Restore your files using the Portal<\/em><\/h4>\n<p style=\"padding-left: 30px\">Users can restore previous version of the file through the user interface. To do this you can:<\/p>\n<p style=\"padding-left: 60px\">1. Go to <strong>OneDrive for Business<\/strong> in the office.com portal<\/p>\n<p style=\"padding-left: 60px\">2. Right click the file you want to recover, and select <strong>Version History.<\/strong><\/p>\n<p style=\"padding-left: 60px\">3. Click the dropdown list of the version you want to recover and select restore<\/p>\n<p>&nbsp;<\/p>\n<p style=\"padding-left: 30px\">If you want to learn more about this feature, take a look at the <a href=\"https:\/\/support.office.com\/en-us\/article\/Restore-a-previous-version-of-a-document-in-OneDrive-for-Business-159cad6d-d76e-4981-88ef-de6e96c93893\">Restore a previous version of a document in OneDrive for Business<\/a> support article.<\/p>\n<h4 style=\"padding-left: 30px\"><em>Create a Site Collection Restore service request<\/em><\/h4>\n<p style=\"padding-left: 30px\">If a large number of files were impacted, using the user interface in the portal will not be a viable option. In this case, create a support request for a \u2018Site Collection Restore\u2019. This request can restore up to 14 days in the past. To learn how to do this please take a look at the <a href=\"https:\/\/blogs.technet.microsoft.com\/akieft\/2012\/01\/09\/restore-options-in-sharepoint-online\/\">Restore Option in SharePoint Online<\/a> blog post.<\/p>\n<p><em>\u00a0<\/em><\/p>\n<p>*Related macro malware information:<\/p>\n<ul>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/17\/malicious-macro-using-a-sneaky-new-trick\/\">Malicious macro using a sneaky new trick<\/a><\/li>\n<li><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/03\/22\/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection\/\">New feature in Office 2016 can block macros and help prevent infection<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/enterprise\/threatreports_july_2015.aspx\">Threat intel on macro malware<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/macromalware.aspx\">Macro malware<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em>Edgardo Diaz and Marianne Mallen<\/em><\/p>\n<p><em>Microsoft Malware Protection Center (MMPC)<\/em><\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/26\/link-lnk-to-ransom\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32\/ZCryptor.A. &#160; Infection vector Ransom:Win32\/ZCryptor.A\u00a0 is distributed through the spam email infection vector. It also gets installed in your machine through&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10760,10883,10896,10897,10898,3765,10885,10888,10889,10899,10900,10762,10901,10902,10903],"class_list":["post-6321","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-detect-ransomware","tag-macro-malware","tag-onedrive-backup","tag-prevent-ransomware","tag-ransomware","tag-ransomware-detection","tag-ransomware-prevention","tag-ransomware-recovery","tag-recover-from-ransomware-attack","tag-spam-email-infection-vector","tag-windows-defender","tag-worm","tag-worm-like-ransomware","tag-wormable-ransomware"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6321"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6321\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6321"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6321"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}