Any piece of half-decent ransomware can lock you out of your files and make you tear your hair out, but it takes a really dastardly one to do the same thing to every single removable or networked drive connected to your machine.
A new piece of malware known as ZCryptor (or zCrypt — take your pick) can infect not only your computer, but any external drive attached to it. If you try to save your machine with a thumb drive, in other words, say goodbye to every other system in your house.
Security researcher "Jack" from the security blog malwarefor.me wrote about the new malware making the rounds last week, and promptly brought it to Microsoft's attention. Microsoft was quick to warn users (particularly business users) about the ZCryptor threat on its Microsoft Malware Protection Center blog. The good news is that Microsoft has a sensible fix for the malware, but it's not a perfect solution.
Jack explained how the ransomware works, although it's mostly pretty standard operating procedure. ZCryptor installs itself on your system (via a fake Flash installer, malicious email attachment or Microsoft Office macro malware), then starts encrypting your files. It also alters the Windows Registry so that the malware runs at startup.
A warning screen pops up in your web browser, informing you that the decryption key can be yours for only $500 in Bitcoin. It warns you to not get rid of the program yourself, as it will destroy the decryption key and render any chance of restoring your files useless. (This is not strictly true, but it's probably enough to scare most people.)
What sets ZCryptor apart from run-of-the-mill ransomware, Microsoft pointed out, is that it's not content to restrict itself to just one drive. If you have external hard drives or thumb drives connected to your computer — anything with storage, really, including a mobile device — then ZCryptor can replicate itself so that it can infect any Windows computer that connects to those drives.
Previous forms of ransomware have locked up files on backup drives, but none until now has actually installed copies of itself on secondary drives. As such, even wiping your hard drive may not solve the ZCryptor problem, and trying to transfer unencrypted backup files could land you right back where you started.
Of particular concern to business users is the fact that ZCryptor can pull the same trick with networked drives. If one employee accidentally downloads the ransomware, it could easily spread to a shared network drive and infect every machine in an office.
A decent antivirus sweep can get rid of the ZCryptor program itself, but that will only solve half of your problems. There is no simple way to decrypt affected files, and as such, Microsoft recommends restoring backups instead. A Microsoft blog post contains detailed instructions on how to do so, but the solution is dependent on you making regular backups, either on your hard drive, online or on an external storage device.
By default, Windows will make backup versions of your files and folders, which you can access by right-clicking on a folder and selecting "Restore previous versions." This functionality tends to be a bit spotty, though, and if the ransomware has run for long enough, it may have encrypted the backup files as well. (Not to mention, these backup files won't have any of the most recent changes you were working on, and losing a day's progress can be disastrous on its own.)
Prevention is still the best medicine, which you can do by avoiding suspicious websites and emails, keeping an antivirus program up and running and ensuring that Windows is up to date.