Most malware samples these days are what are known as Trojans, short for “Trojan Horses”.
These programs seem harmless on the surface, but have nasty surprises hidden inside.
Trojans don’t get around by themselves; they have to be delivered somehow, typically by email or via a booby-trapped web page.
Twenty years ago, however, most malware samples were viruses, meaning that they were programmed to spread on their own, like a viral infection, typically by copying themselves to other files or directories they could find.
This includes your network, if you had one, and to removable storage devices (or “floppy disks,” as they were known in the 1990s).
Self-spreading malware has one important advantage for the crooks: they don’t have to keep on spamming out attachments or dangerous links because viruses get a life of their own once they’re out and about.
As a result, viruses may well spread further and last longer, not least because infections inside an organization that aren’t stamped out completely may keep reappearing, sometimes for years.
Of course, the act of self-spreading is one more way for malware to draw attention to itself, so intoday’s always-connected world, it’s a technique that’s not seen much anymore.
Nevertheless, self spreading ransomware has been tried by cybercriminals before.
Presumably, their hope was that multiple infections inside a business, or on a home network, would therefore be more likely.
Most ransomware generates a unique encryption key for each computer it attacks, so there’s no shortcut if several computers inside your company get hit.
You need to buy a unique unlock code for each one of them.
Moving around inside your network seems to be the aim of this new ransomware sample, detected and blocked by products such as Troj/Agent-ARXC and Troj/Mdrop-HGD by sophos.
The good news is that we haven’t seen much evidence of it in the wild, so it doesn’t seem to be spreading very effectively, despite being a virus.
Like a lot of ransomware, we’ve seen this one “promoted” via email.
If you open up the file, the ransomware runs, scrambling any files it can find with extensions from a lengthy list, including archives, images, videos, documents, spreadsheets and even programming projects.
The ransomware then displays its “pay page,” making sure you know how to buy back the decryption key to unscramble your data.
Bitcoins have surged a bit in value over the past few days since this malware appeared, so the bill you’ll face (BTC1.2) is more like $640 currently.
As well as scrambling your precious files, this ransomware also makes copies of itself onto writable network shares and removable drives it finds, presumably hoping that someone else might open the infected file later on.
The dropped file is called zcrypt.lnk, and it is accompanied by an autorun.inf that attempts to load it automatically when a user inserts the infected device or browses to an infected network share.
This is something of a blast from the past, because “Autorun” on removable drives has been turned off by default on Windows computers for years, so the risk of unexpected infection this way can be considered low.
Nevertheless, if you’re a system administrator, it’s worth checking that AutoRun really is turned off on all your computers probably throughby using Group Policy.
The malware also adds itself to the AppData\Roaming directory, which is automatically replicated onto other computers you use on the same network, meaning that this virus can literally follow you around.
Sophoslabs, an IT security firm suggests that to prevent yourself against this and other malware threats:
· Use a web filter to block untrustworthy links.
· Use an email filter to block untrustworthy messages.
· Apply common sense when faced with invoices and other messages you weren’t expecting.
· Don’t open .ZIP files or run .EXE files from unknown sources.
· Use Group Policy to make sure Autorun is turned off everywhere.
· Make regular backups, including keeping off-site copies.
Importantly, not all ransomware is made alike. In particular, viral ransomware doesn’t work on a one-email-one-sample-one-potential-victim model. In other words, after you’ve had one infection, other victims may later get infected too, even though they never received a malicious email, or clicked a malicious link, or downloaded a malicious file.
Even after a single report of this malware, consider doing an on-demand or overnight virus scan of your file servers to make sure that it hasn’t left copies of itself lying around, hoping to snare additional victims later on.