Microsoft Warns of ZCryptor Ransomware With Self-Propagation Features

An anonymous reader writes from a report issued by Softpedia on May 27: Microsoft and several other security researchers have detected the first ransomware versions that appears to have self-propagation features, being able to spread to other machines on its own by copying itself to shared network drives or portable storage devices automatically. Called ZCryptor, this ransomware seems to enjoy quite the attention from crooks, who are actively distributing today via Flash malvertising and boobytrapped Office files that infect the victim if he enables macro support when opening the file. This just seems to be the latest addition to the ransomware family, one which recently received the ability to launch DDoS attacks while locking the user's computer.

Microsoft would know

[Anonymous Coward]

They're the king of ransomware, forcing Windows 10 installations.

Re:

[DeathElk]

Why mod troll? It is a well documented fact that Microsoft will change your computer operating system through subterfuge, which for many users has caused software and/or hardware to malfunction.

Ahhhh

[Adambomb]

Good old retro boot sector viruses.

I heard

[Anonymous Coward]

It disguises itself as the Windows 10 upgrade notification.

Re: I heard

[cbiltcliffe]

Angry much?

Of course he is. He got force upgraded to Windows 10.

Re:

[Opportunist]

Yes, but back then I clicked it away so it had to return in disguise again and now I can't decide if closing it would just close or install it.

They still don't get the difference between code..

[Anonymous Coward]

and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

Re:

[myowntrueself]

I'm curious, what exactly would the difference in a document be between code and data, or preferably how would your implementation look like to prevent executing malware?

Because the word processor or spreadsheet doesn't have any ability to execute anything outside of its own document?

Why the fucking fuck would a word processor or spreadsheet need to execute anything or operate in any way outside of their own document? What could possibly go wrong? Oh... wait...

Re:

[tommeke100]

The issue stays the same. If you have data in the file that gets interpreted a certain way ( say, for formatting, a malformed URL, weird characters, ...), but the interpretation is buggy and prone to buffer-overflows or other when reading the wrong data, you're still at risk.

Re:

[David_Hart]

and data. After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

Also, this might be the first malware that infected network files, but it certainly isn't the first to affect Office documents. We've been hit several dozen times.

By default the latest Office programs save files in a format that prevents macros from running. You have to specifically change the file type to allow macros. When you open macro enabled office files, it will, by default, disable active content and show a warning box. You have to actually click on the box to allow macros and vbscript.

Re:

[yuna49]

At one client's site an enduser got such a document. It requested that the recipient click the button to enable active content. Of course someone did just that and promptly got infected. Now we just block all macro-enabled documents with clamd.

Re:

[chispito]

After twenty years of problems with code in documents, including some that would wipe-out your partition table, they still allow code in a document to execute.

Except by default "they" do not allow it. You must enable macro support after clicking through warnings. You may also download whatever binary you want and click through the warning advising you the certificate, issued to "Skripty and the Kidz" is not trusted.

Re:

[yuna49]

At one of my clients, we use MailScanner plus clamd to scan incoming mail. Clamd has a switch to treat all Office files with macros as viruses so they get sent to quarantine. At this particular client no one has the need to exchange macro-enabled Office files so this is an effective defense. Of course, other organizations might have valid uses for such files. I'd solve that by whitelisting particular senders while continuing to ban any other macro-enabled Office documents.

Block all Adverts now to protect yourself.

[Lumpy]

More proof that everyone should be using an adblocker to keep their computer and friends computers safe.

Dear website owners.... WAHH about your lost revenue. start hosting the ad's on your own servers and VET THEM to be safe and not an attack vector.

Disable Flash too

[duke_cheetah2003]

That convinced me to disable Flash forever. No way I want that kind of crap sneaking onto my PC.

Re:

[Opportunist]

...which is fine until there is a bug in either of them that allows an exploit to run...

Which is in 99% of infections actually the case. What did you think was happening? Duh!

Pray to whatever god you worship

[millertym]

This stuff is nasty.

1- Have spotless offline backups of everything
2- Lock down share permissions
3- Lock down admins on permissions domain level
4- Lock down admins on local machine level
5- Pray

I had to deal with this garbage once earlier this year on a custom domain with awful permissions management. It was bad enough from a single source\spread to shares perspective. I can't imagine the damn thing acting like a worm at the same time. Potentially career ending because 1- your enterprise gets owned so hard and 2- you never want to touch a computer again once you have to try to clean it up.

Re:

[Anonymous Coward]

Let me tell you what it's like working in infosec in a large organization.

Me: We need to remove some of these global admin accounts, they can access literally everything, change group policy, delete all 500+ of our file servers around the globe.
Manager: No we need meetings to do this and a change request process and team to make sure all the players are onboard. Also we cannot spend any money doing this, cannot schedule any employee hours to do this so you'll be doing it on your own time without getting pa

Candidates for Darwin Award

[CmdrTamale]

It's evolution in action.

Re: Pray to whatever god you worship

[mspohr]

But does it run on Linux?

Re:

[Opportunist]

Not if you don't run Samba so your Windows box can access files...

Re:

[Anonymous Coward]

There is an additional step you want to consider in an enterprise. Notice from the write-up that this one adds itself to the RUN key to ensure persistence. Most malware / crapware that isn't root kit style does this. The key "HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run" should be set to require administrator access to change. That simple change prevents this from getting persistence (and, depending on how the author wrote it, may cause it to fail to encrypt - as you notice the writeup s

Re:

[sabbede]

Oh, good catch! That can also be disabled entirely via group policy, though I forget exactly what it's called. 'Disable access to classic run' or somesuch.

Re:

[The-Ixian]

How about just whitelisting applications on your network to locations that user's don't have write access to?

maybe its time to put msoffice into a VM?

[TheGratefulNet]

a VM can be contained pretty well. I was used to installing office on my local pc, but now I'm starting to think its going to be safer inside a VM and I'll just run the VM for the few times I have to actually edit word docs. viewing them is ok on libreoffice or similar, but I would not use the free versions to edit ms docs (sigh).

Re:maybe its time to put msoffice into a VM?

[campuscodi]

Or use OpenOffice or LibreOffice instead. Heck, even Google Docs is better now.

Re:

[Anonymous Coward]

How does this help, if the malware spreads via network shares? If the Office has access to the shares, which is quite handy for editing files in them, it is also possible for it to spread the malware.

Re:

[Thomas Harold]

That's been my preference for the last year. KVM on Linux now has snapshot support built-in, and OS X Parallels has had it for a while. So about once a month, I'll make a snapshot and label it "good" with some notes. If there's ever trouble, I can rollback to that snapshot.

For the host operating system, files get written to a backup location via SSH, using a SSH key that can only run the backup program (borg-backup) on the destination server. I have yet to see anything that targets backup software tha

BREAKING NEWS

[Anonymous Coward]

BREAKING NEWS: Microsoft warns about a new self-installing malware called "Windows 10"

Yet another reason

[FrozenGeek]

not to use flash. I understand that there are many companies with a significant investment in flash-based code. But flash has proven to be a persistent security hole. HTML 5 is a viable alternative to flash. time for those companies to suck it up.

Re: A permanent solution

[mspohr]

Might be easier to just install Linux.

Re:

[NewtonsLaw]

Why would I want to install Linux - it's already installed and running on my machines :-)

Re: A permanent solution

[mspohr]

Then why are you going full agro?

Re:

[perryizgr8]

And end up in a situation like Android Linux, which has more malware than Windows ever had.

Why not sandbox Office and Office macros?

[jonwil]

Given the number of viruses out there that use Microsoft Office documents as a transmission vector, why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

Web browsers sandbox JavaScript code these days to prevent exploits and improve security, why not do the same for Office documents?

That way, rogue macros can't download and install further malware or access data files all over the disk or mess with Windows system folders/files/data.

Re:

[gnupun]

why hasn't Microsoft locked down VBA and macros so that macros in an Office document file cant do anything dangerous.

My guess would be (a) the high cost of redesigning the macro subsystem and (b) users bitching and moaning when new macro language breaks their old scripts -- it would be Y2K all over again.

Propagation

[ACE209]

This one tries to propagate almost as hard as the Windows Update.

Past proper propagation probably plethoras of problems perceived.

They that out loud three times.

Re:

[Opportunist]

I did.

'scuse me, gotta find wipes for the screen.

Good thing MS spooked folks into disabling updates

[Anonymous Coward]

Good thing that Microsoft's strongarm tactics trying to force Win 10 upgrades resulted in some people permanently disabling Windows Update on their boxes.

Not only will those people get owned, but their machines can act as distribution centers to attack other machines, including distributing future malware even if MS releases a patch to help protect against this.

500 Rupees have been deposited into Satya Nadella's account care of the Russian malware alliance.

Microsoft the security researcher

[khz6955]

Have Microsoft ever considered looking at their own Source Code. Considering Microsoft is primarily responsible for the malware infestation. That would be like describing Dr. Hannibal Lecter as a food nutritionist researcher.

Re:

[Opportunist]

Not really anymore. The primary infection vector today are rather third party software packages that are so omnipresent that they can as well be considered part of the OS while having a WAY worse security record than MS. Adobe being probably the worst offender, the currently biggest infection vector being Flash and Acrobat Reader.