The ransomware worm ZCryptor self-replicates by placing autorun files on removable storage devices and network...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
drives, spreading it to other devices and systems. Microsoft claims that systems can be protected by upgrading to Windows 10. What are some other mitigation steps enterprises can take? And how big of a threat is this ransomware worm compared to conventional ransomware?
Not every security issue can be mitigated by upgrading to the most recent version of an operating system or applying the most recent patch. Both are important security controls and must be included as part of an enterprise security program, but are not complete fixes. The security program should cover how to respond to a ransomware worm like ZCryptor when the enterprise can't or hasn't upgraded to the most recent version of the operating system. ZCryptor has functionality to drop malware on USB drives or file shares, including an autorun.inf file to get vulnerable systems to run the malware when opening the directory. ZCryptor is also distributed via malicious emails where an attachment with embedded macros would execute the malware. With the rise in cloud file storage, file shares can include any automated mechanism for saving files in an external location that eventually allows a user to directly open a file and potentially execute the malicious code.
As all enterprises are vulnerable to ransomware like ZCryptor, taking mitigation steps is a necessary process for yours. First, check to see if and how your endpoint security suite protects against ransomware and has functionality such as the CryptoDrop tool developed by researchers at the University of Florida. Having protection against ransomware, as well as the necessity of having good backups has been covered extensively, but taking two additional steps on top of following the Microsoft recommendations can minimize the chance that a compromised endpoint will affect the entire enterprise. Enterprises should ensure users have only the write access they need for file share stores and also disable autorun. Limiting user access to only the needed files will lead to the ransomware only encrypting those files and potentially leaving the other files unaffected. Disabling autorun is a standard antimalware recommendation which can stop the malware from autorunning on a system.
Learn how frequent data backups can help during ransomware attack recovery
Find out how Locky ransomware uses DGA in attacks on banks
Read how cloud DR can fit into your ransomware recovery strategy
Dig Deeper on Email and Messaging Threats (spam, phishing, instant messaging)
Related Q&A from Nick Lewis
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
An Instagram application can be turned into C&C infrastructure with the help of image steganography malware attacks. Expert Nick Lewis explains how ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.