Zcrypt Ransomware
Posted: May 25, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 166 |
First Seen: | May 25, 2016 |
---|---|
Last Seen: | May 2, 2022 |
OS(es) Affected: | Windows |
The zCrypt Ransomware is a file encryptor that holds your data hostage while asking for money to return it to you. Victims also are put under a strict time limit to encourage them to pay the fee quickly, although the likelihood of con artists honoring their word remains open to question. With the natural uncertainty of such a transaction, malware experts advise disabling and removing the zCrypt Ransomware through your anti-malware tools and then recovering your information from an unencrypted backup.
The Empty Drive Message that Empties Your Wallet
One of the biggest technical limitations of threatening file encryption is the time and system resources taken by the function while it's ongoing. Threat authors have taken various routes of working around this restriction, such as limiting the amount of bytes that are modified, or tightly controlling which files come under attack. The zCrypt Ransomware uses a method of subterfuge malware experts have yet to see in other file-encrypting Trojans: hiding its attack behind a Windows pop-up error.
After a spam-based installation, the zCrypt Ransomware generates a Mutex entry and modifies the Windows Registry with entries facilitating its automatic launch. It then scans for files including Adobe PDFs, text-based documents, and image files (such as JPG or PNG). The Trojan provides the affected files with new '.the zCrypt' extensions, but, more importantly, sends them through an encryption routine. Victims will find quickly that any encrypted content no longer responds to being opened by their associated programs and renaming the files back to the original names will have no effect.
However, the payload also launches a disk drive system error, implying that another program is trying to read your CD/DVD drive. The zCrypt Ransomware doesn't appear to access any such drive, but the distraction could prevent a victim from interrupting the process and preserving some of their files before the zCrypt Ransomware finishes.
Beating the Threat Clock on Saving Your Data
The zCrypt Ransomware's original ransom fees begin at average Bitcoin sums of approximately 500 USD, although they also rise over time, with the second deadline including deleting the key required for the decryption process. Current versions of the zCrypt Ransomware also include an improperly formatted ransom message that mandates the victim's taking additional steps to find the relevant payment address information, calling into question the potential functionality of the threat author's decryption service.
There is no public decryption application yet available for the zCrypt Ransomware, which appears to be unrelated to past file encryption Trojans. Nonetheless, a compromised PC always should be disinfected with anti-malware utilities, regardless of the zCrypt Ransomware's warnings. Backups on password-protected servers or disconnected devices can overwrite your encrypted files without needing a decryption service, making preventative data protection especially critical.
Malware experts have found most of the zCrypt Ransomware's infection points taking advantage of e-mail spam with disguised Web links and file attachments. Russian-speaking regions appear to be most commonly targeted, with at least one corporation already verified as being affected. As always, any business with information worth preserving should take care to do so before a Trojans's attack, thereby making the threat behind the zCrypt Ransomware's hostage crisis an empty one.
Technical Details
Registry Modifications
HKEY..\..\..\..{RegistryKeys}SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zcrypt
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.