A newly discovered ransomware variant has the rare ability to self-replicate, and security experts expect future...
ransomware will follow this evolution pattern to become more efficient at spreading to and infecting larger targets.
Microsoft posted a warning to users about ZCryptor, a ransomware worm that can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. This means the ransomware can spread itself to other machines on portable storage devices, rather than relying on more targets to fall victim to phishing, according to Microsoft's security advisory.
"It's basically guaranteed that ransomware will become self-replicating," said Arian Evans, vice president of product strategy at RiskIQ, based in San Francisco.
Other experts agreed. Wade Williamson, director of threat analytics at Vectra Inc., based in San Jose, Calif., said ransomware worms are part of the natural evolution of malware.
"It is important to remember that while ransomware is the newest head on the malware hydra, it is still malware. As such, it can be delivered and propagated in all the ways that we have seen malware used in the past," Williamson said. "So, while this is a new variant of ransomware, on its own, it is not earthshaking. It is, however, a part of a broader trend within ransomware that focuses on spreading beyond the initially infected host in order to [cause] damage to the broader enterprise."
According to Microsoft and Trend Micro's warnings, the new ransomware worm does not work on Windows 10, but it does affect older versions of Windows. With that in mind, Microsoft's first suggestion for users to protect themselves was to upgrade to Windows 10.
While experts generally considered this to be good advice, noting the Windows 10 File History and other security features as beneficial, there were concerns with this suggestion.
Don Jackson, senior threat researcher at Damballa Inc., based in Atlanta, said he found ZCryptor "functioned exactly the same disastrous way" on the newest version of Windows 10 in his test.
"I wouldn't consider upgrading to Windows 10 to be a preventative measure at all. In this case, upgrading to Windows 10 doesn't offer any mitigation in terms of better detection and prevention," Jackson said. "Microsoft appears to be saying that it does by adding it to the very first bulleted item under [the] 'prevention' section of their blog post. To me, it's misleading."
Evans said the problem with the suggestion was financial, rather than technical.
"Financially speaking, Windows 10 costs are probably out of reach for a large percentage of the global PC community, especially those running on pirated Windows XP," Evans said. "The question is: At what point does the cost of impact of ransomware exceed the cost of upgrading to Windows 10 and replacing legacy devices? Ransomware automatic replication will accelerate this cost curve we expect, making the cost of upgrading, and implementing stronger defenses, calculate cheaper with each successful ransomware attack."
Experts said the rest of Microsoft's prevention suggestions were comprehensive, including making regular backups of data to external sources, being wary of phishing emails, disabling macros in Office, disabling Remote Desktop, using two-factor authentication and avoiding "websites that are known for being malware breeding grounds -- illegal download sites, porn sites, etc.," according to the security advisory.
Learn more about the outbreak of ransomware hitting hospitals, enterprises
Get a first look at the new Windows 10 security features
Find out how the TeslaCrypt ransomware came to an end