The new ransomware, which Microsoft has dubbed Ransom:Win32/ZCryptor.A, is distributed through spam emails. It can also infect a machine running Windows through a malware installer or fake installers like a Flash player setup file.
The ransomware would run at boot and drop a file autorun.inf in removable drives, a zycrypt.lnk in the start-up folder and a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe.
It would then change the file attributes to hide itself from the user in file explorer.
|
A total of 88 file-types would be encrypted and Microsoft said it was important to enable file history or system protection so that restoring personal files from a backup was possible in some cases.
However, it appears that Microsoft was also not fully aware of the actions of the ransomware because it offered the following advice: "Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive."
Windows users would do well to read the advisory in its entirety.