lolloj - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can ZCryptor ransomware be stopped by upgrading to Windows 10?

ZCryptor ransomware can self-replicate through autorun files placed on removable storage devices. Expert Nick Lewis explains how your enterprise can mitigate this risk.

The ransomware worm ZCryptor self-replicates by placing autorun files on removable storage devices and network drives, spreading it to other devices and systems. Microsoft claims that systems can be protected by upgrading to Windows 10. What are some other mitigation steps enterprises can take? And how big of a threat is this ransomware worm compared to conventional ransomware?

Not every security issue can be mitigated by upgrading to the most recent version of an operating system or applying the most recent patch. Both are important security controls and must be included as part of an enterprise security program, but are not complete fixes. The security program should cover how to respond to a ransomware worm like ZCryptor when the enterprise can't or hasn't upgraded to the most recent version of the operating system. ZCryptor has functionality to drop malware on USB drives or file shares, including an autorun.inf file to get vulnerable systems to run the malware when opening the directory. ZCryptor is also distributed via malicious emails where an attachment with embedded macros would execute the malware. With the rise in cloud file storage, file shares can include any automated mechanism for saving files in an external location that eventually allows a user to directly open a file and potentially execute the malicious code.

As all enterprises are vulnerable to ransomware like ZCryptor, taking mitigation steps is a necessary process for yours. First, check to see if and how your endpoint security suite protects against ransomware and has functionality such as the CryptoDrop tool developed by researchers at the University of Florida. Having protection against ransomware, as well as the necessity of having good backups has been covered extensively, but taking two additional steps on top of following the Microsoft recommendations can minimize the chance that a compromised endpoint will affect the entire enterprise. Enterprises should ensure users have only the write access they need for file share stores and also disable autorun. Limiting user access to only the needed files will lead to the ransomware only encrypting those files and potentially leaving the other files unaffected. Disabling autorun is a standard antimalware recommendation which can stop the malware from autorunning on a system.

Next Steps

Learn how frequent data backups can help during ransomware attack recovery

Find out how Locky ransomware uses DGA in attacks on banks

Read how cloud DR can fit into your ransomware recovery strategy

This was last published in November 2016

Dig Deeper on Email and Messaging Threats-Information Security Threats