from Blog | Bitdefender Labs | Bitdefender Innovation and Technology
Bitdefender blocks a new type of ransomware that replicates itself on removable and network drives. ZCrypt has worm-like capabilities and encrypts user files with the following extensions:
.zip .7z .mp4 .avi .mkv .wmv .swf .pdf .sql .txt .jpeg .jpg .png .bmp .psd .doc .docx .rtf .xls .xlsx .odt .ppt .pptx .ai .xml .c .cpp .asm .js .php .cs .aspx .html .conf .sln .mdb asp .3fr .accdb .arw .bay .cdr .cer .cr2 .crt .crw .dbf .dcr .der .dng .dwg .dxf .dxg .eps .erf .indd .kdc .mdf .mef .mrw .nef .nrw .odb .odp .ods .orf .p12 .p7b .p7c .pdd .pef .pem .pfx .pst .ptx .r3d .raf .raw .rw2 .rwl .srf .srw .wb2 .wpd .jnt .pub .trc .gz .tar .jsp .pl .py .rb .mpeg .msg .log .vob .max .3ds .3dm .db .cgi .jar .class .java .bak .pdb .apk .sav .cbr .pkg .tar. gz. fla. .h .sh .vb .vcxproj .XCODEPROJ .eml .emlx .mbx .vcf
The original file will be deleted and the encrypted files will have the new .zcrypt extension.
A ransom note will be created with the following name “How to decrypt files.html”
To ensure persistence, the malware will create the following registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\zcrypt, which will point to itself, and also a shortcut named “zcrypt.lnk” in the startup folder.
The communication domain is hXXp://dedicate-hosting.ml/
