ZeroCrypt Ransomware
Posted: November 2, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 72 |
| First Seen: | November 2, 2016 |
|---|---|
| Last Seen: | January 10, 2019 |
| OS(es) Affected: | Windows |
The ZeroCrypt Ransomware is a Trojan that encrypts your files and drops ransom-demanding messages afterward, such as instructions for paying Bitcoin fees for recovering the encoded content. While the ZeroCrypt Ransomware most likely was created with non-harmful goals, it does include a fully-working payload, similar to that of threats designed with the intent of distribution in the wild. PC users still can protect themselves by all the usual methods, including having anti-malware products for removing the ZeroCrypt Ransomware automatically.
The Possibility of a Program going from 'Hero' to 'Zero'
With the race between anti-malware services and threatening software campaigns at a constant, brisk pace, malware analysts sometimes turn to additional sources for honing their skills. Reverse-engineering software contests are one way in which security researchers might improve their pool of knowledge, but also come with the downside of producing very real samples of threat. In November, malware experts took note of a recent sample of the ZeroCrypt Ransomware, an educational programming 'test' that could just as easily turn to misdeeds.
The ZeroCrypt Ransomware is a product of the ZeroNights cyber security conference scene and can be downloaded by the public freely. When launched, it leverages an RSA-1024 cipher against your files, such as Word DOC documents, Notepad TXT texts and JPG images. The attack includes new extensions for all of the newly-encoded and unusable data, '.zn2016,' and concludes with a 'ZeroCrypt_RECOVER_INFO.txt' message that it places on your desktop.
Despite its being an educational resource, the ZeroCrypt Ransomware's provides ransom instructions that are very similar to those of live Trojans, including a demand for a Bitcoin payment and an e-mail address for contacting the fake threat actor. The encryption attack is as functional as it would be on a 'real' Trojan, and there are no public decryption tools yet available for reversing it.
A Further Look at Security Research with Consequences
Malware analysts can confirm that no current campaigns exploiting the ZeroCrypt Ransomware are extant. However, past instances of con artists abusing publicly-available threats for unintended purposes are frequent, including such projects as Hidden Tear and EDA2. Ironically, the ZeroCrypt Ransomware's lack of ties to real threat actors also could mean that the one recovery route available to some victims, paying the con artist's ransom, is unavailable. Logging regular backups of all valuable content is one of the simplest ways of protecting yourself from file-encrypting attacks whether or not they're intentional.
The ZeroCrypt Ransomware doesn't include network-related features and, at current, uses the highly-identifiable executable of 'ManBeCareful.exe' within the 'the ZeroCrypt' directory. Many, but far from all anti-malware products have respectable rates of detecting the ZeroCrypt Ransomware heuristically. As a preventative against possible attacks, continue updating your security solutions and allowing them to scan all new files to remove the ZeroCrypt Ransomware.
Education is a necessarily double-edged weapon that can benefit a con artist just as much as a cyber security analyst. Hopefully, the ZeroCrypt Ransomware can refrain from turning into the next version of Hidden Tear: an accidental provocateur of nearly limitless Trojan campaigns.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:file.exe
File name: file.exeSize: 359.42 KB (359424 bytes)
MD5: acc74bb26ce84cd41b5400ed45092b49
Detection count: 77
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 2, 2016
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.