One example of the ZCryptor variant.

Image Source: Microsoft

ZCryptor targets Windows OS and exhibits worm-like behavior. Initial attack vectors include spam email campaigns, macro malware, and fake Adobe Flash installers but, once a targeted system is infected, ZCryptor drops an autorun.inf file onto network drives and removable storage media. It maintains persistence by placing a zycrypt.lnk file in the start-up folder. It appends all encrypted files with the extension .zcrypt. It demands an initial ransom of 1.2 Bitcoin but threatens to raise the price to 5 Bitcoin if the victim does not pay within four days of infection. If a week passes before any ransom is paid, the decryption key will be destroyed, according to ZCryptor’s ransom note.

  • Microsoft provides more information about ZCryptor here.
  • The NJCCIC is not aware of any decryption tools available for ZCryptor.