Crypto-ransomware Attacks Windows 7 and Later, Scraps Backward Compatibility

How do you know that something has become very popular? Simple – when poorly-made knockoff versions start to hit the marketplace. Ransomware, it seems, has hit that point.

The writers behind the new ZCRYPT ransomware family have either scrapped support for Windows XP, or did a sloppy job in creating it. This new family only targets systems with newer versions of Windows, specifically Windows 7 and later. Is ZCRYPT deliberately cutting of older operating systems, or is it just poorly-written malware?

Exclusive Crypto-ransomware

When we came across ZCRYPT it first appeared to be a fairly nondescript threat. It encrypts the user’s files and uses the .ZCRYPT extension as its marker. It is capable of encrypting the following file formats:

.zip, .mp4, .avi, .wmv, .swf, .pdf, .sql, .txt, .jpeg, .jpg, .png, .bmp, .psd, .doc, .docx, .rtf, .xls, .xlsx, .odt, .ppt, .pptx, .xml, .cpp, .php, .aspx, .html, .mdb, .3fr, .accdb, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .dwg, .dxg, .eps, .erf, .indd, .kdc, .mdf, .mef, .nrw, .odb, .odp, .ods, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .pst, .ptx, .r3d, .raf, .raw, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .tar, .jsp, .mpeg, .msg, .log, .cgi, .jar, .class, .java, .bak, .pdb, .apk, .sav, .tar.gz, .emlx, .vcf

It makes the usual threats of deleting the files if the victim don’t pay up within a week. Ransom is set at 1.2 BTC (approximately 500 US dollars), with the ransom going up to 5 BTC (approximately 2,200 US dollars) after four days. The ransom note looks like this:

Figure 1. Ransom note (Click to enlarge)

However, what it can do in systems with Windows 7 and later, it only tries with other systems. According to our analysis, it fails to either encrypt the files properly or display the ransom note when launched in an older version of Windows, such as Windows XP. The malware calls a function which does not exist in earlier versions of Windows; this breaks it for the older operating systems.

Interestingly, this particular family also tried to spread via USB flash disks: it plants a copy of itself onto removable drives. This is relatively unusual in crypto-ransomware; back in December of 2013 we identified a CryptoLocker variant which behaved similarly. It never seems to have caught on, however. Crypto-ransomware authors seem to be satisfied with distributing their wares via the most common means: malvertising and spam.

C&C Servers

The domain name of the command-and-control (C&C) server was poiuytrewq.ml, a reversal of qwertyuiop. This is the top alphabetical row on a standard QWERTY keyboard. The top-level domain .ml is assigned to Mali; registrations for domains under this TLD were given away for free starting in April 2013. (URLs that hosted ZCRYPT variants were also hosted on .ml domains.)

The threat actor also enjoyed free anonymity because the domain registration masked the actual identity of registrant. The C&C domain is already tagged “canceled, suspended, refused, or reserved”.

Industry Practices

Backing up is still the best defense against crypto-ransomware; the 3-2-1 rule ensures that users still have a copy of their data even if they are affected by similar threats. We strongly advise against paying the ransom; this only ensures that the threat will continue to become bigger and bigger.

Trend Micro says NO to ransomware. We strongly advise users not to pay ransom demands as it fuels cybercrime and promotes further propagation of ransomware.

Trend Micro Solutions

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by crypto-ransomware, such as ZCRYPT.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevents ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can likewise take advantage of our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying the ransom or the use of the decryption key.

TippingPoint customers will be protected from attacks exploiting this vulnerability with the following ThreatDV filter that will be made available on May 31:

24733: HTTP: Ransom_ZCRYPT.A

Related hashes:

D14954A7B9E0C778909FE8DCAD99AD4120365B2E – Ransom_ZCRYPT.A

With additional analysis from Rhena Inocencio, Jay Yaneza, and Ruby Santos.