{"id":50367,"date":"2016-06-08T11:45:21","date_gmt":"2016-06-08T18:45:21","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=50367"},"modified":"2025-06-08T20:11:32","modified_gmt":"2025-06-09T03:11:32","slug":"zcrypt-expands-reach-as-virus-ransomware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/","title":{"rendered":"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019"},"content":{"rendered":"<p>McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious attachment or by usurping an Adobe Flash Player installation. The malware copies itself onto removable drives to infect other machines.<\/p>\n<p>Zcrypt uses the Nullsoft Scriptable Install System, which works like a Zip file, decompressing and loading the content while running.<\/p>\n<p><em>Summary of original Zcrypt file.<\/em><\/p>\n<p>If we take a look at the resource, we can see some information related to the installer. The following window, extracted from the resource viewer, is related to the installer, but when the sample runs no window appears.<\/p>\n<p><em>Resource information for Zcrypt file.<\/em><\/p>\n<p>Using a simple unzip tool, we can see the content of the file.<\/p>\n<p><em>Extracted content of Zcrypt ransomware.<\/em><\/p>\n<p>The files contained in the original sample:<\/p>\n<ul>\n<li>$PLUGINSDIR\u00a0contains the system.dll file related to the Nullsoft engine.<\/li>\n<li>cCS file read by the DLL before to run the final payload<\/li>\n<li>9 file read by the DLL before to run the final payload.<\/li>\n<li>dll\u00a0is the malicious DLL that runs the final payload.<\/li>\n<\/ul>\n<h2><strong>DLL analysis <\/strong><\/h2>\n<p>SetCursor.dll is loaded by the installer. The following screenshot gives us some information about this DLL:<\/p>\n<p><em>Summary information for SetCursor.dll.<\/em><\/p>\n<p>We can also see that the compilation date is not correct and indicate a very old file (1970).<\/p>\n<p>The metadata of the file is related to the tool TortoisePlink and the icon of the sample is related to the software Putty.<\/p>\n<p><em>Metadata for SetCursor.dll.<\/em><\/p>\n<p>The sample uses obfuscation to hide its behavior and to avoid the analysis. The export table is completely obfuscated and cannot be read statically.<\/p>\n<p><em>Extract of obfuscated export table.<\/em><\/p>\n<h2><strong>Behavior<\/strong><\/h2>\n<p>The sample creates a registry run key and a LNK file in the startup folder for persistency. It calculates an MD5 sum of the string (computer name @ user name) and saves it in cid.ztxt. Then it drops both public and private keys and queries a remote IP to register the infected machine. Once the machine is registered, the malware starts to encrypt the files with the Zcrypt extension. Once the encryption is finished, it drops an HTML file on the desktop, downloads a PNG ransom message from 93.174.90.126, and the Bitcoin address to pay the ransom.<\/p>\n<p>Once the sample is running, it creates or queries the following registry keys:<\/p>\n<ul>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\zcrypt<\/li>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\zcrypt.exe<\/li>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Compatibility32\\zcrypt<\/li>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\zcrypt.exe<\/li>\n<li>HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\zcrypt.exe<\/li>\n<li>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\zcrypt.exe<\/li>\n<li>HKCU\\Software\\Classes\\AppID\\zcrypt.exe<\/li>\n<li>HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\zcrypt.exe<\/li>\n<\/ul>\n<p>And creates these files:<\/p>\n<ul>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\zcrypt.lnk<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\zcrypt.exe<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\cid.ztxt<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Local\\Temp\\nsr76A8.tmp<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Local\\Temp\\nsr76A9.tmp\\System.dll<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Local\\Temp\\nsm3B6D.tmp<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Local\\Temp\\nsm3B6E.tmp<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Local\\Temp\\nsm3B6E.tmp\\System.dll<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\Coalfish.cCS<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\Relay.9<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\SetCursor.dll<\/li>\n<li>C:\\Users\\&lt;username&gt;\\Desktop\\SetCursor.DLL<\/li>\n<li>C:\\Windows\\System32\\SetCursor.DLL<\/li>\n<li>C:\\Windows\\system\\SetCursor.DLL<\/li>\n<li>C:\\Windows\\SetCursor.DLL<\/li>\n<li>C:\\Users\\&lt;username&gt;\\Desktop\\zcrypt.exe.Local<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\public.key<\/li>\n<li>C:\\Users\\&lt;username&gt;\\AppData\\Roaming\\private.key<\/li>\n<\/ul>\n<h2><strong>Network connection<\/strong><\/h2>\n<p>The sample makes the following requests to the site dedicate-hosting.ml (93.174.90.126):<\/p>\n<p style=\"padding-left: 30px;\">Public-key request:<br \/>\nGET http:\/\/dedicate-hosting.ml\/c8a40e36a897c6073b393e12c646894d\/e72b2dacd696259ae4abb9952bc53f4d.php?computerid=&amp;public=1 HTTP\/1.1<\/p>\n<p style=\"padding-left: 30px;\">Private-key request:<br \/>\nGET http:\/\/dedicate-hosting.ml\/c8a40e36a897c6073b393e12c646894d\/e72b2dacd696259ae4abb9952bc53f4d.php?computerid=&amp;private=1 HTTP\/1.1<\/p>\n<p style=\"padding-left: 30px;\">Bitcoin address request:<br \/>\nGET http:\/\/dedicate-hosting.ml\/c8a40e36a897c6073b393e12c646894d\/e72b2dacd696259ae4abb9952bc53f4d.php?computerid=&amp;btc=1 HTTP\/1.1<br \/>\nConnection: Keep-Alive<\/p>\n<p style=\"padding-left: 30px;\">PNG ransom message request:<br \/>\nGET http:\/\/dedicate-hosting.ml\/4.png HTTP\/1.1<\/p>\n<p>After a successful infection, victims see the ransom message:<\/p>\n<p><em>The Zcrypt HTML ransom message.<\/em><\/p>\n<p><em>The PNG ransom message.<\/em><\/p>\n<h2><strong>Digging deeper <\/strong><\/h2>\n<p>To further analyze Zcrypt, we changed the characteristic field on the sample to load it into OllyDbg as a normal executable. The DLL uses multiple WriteProcessMemory functions to write the payload into the memory space. (For more, see <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms681674%28v=vs.85%29.aspx\">https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms681674%28v=vs.85%29.aspx<\/a>.)<\/p>\n<p style=\"padding-left: 30px;\">BOOL WINAPI WriteProcessMemory(<\/p>\n<p style=\"padding-left: 60px;\">_In_ HANDLE hProcess,<br \/>\n_In_ LPVOID lpBaseAddress,<br \/>\n_In_ LPCVOID lpBuffer,<br \/>\n_In_ SIZE_T nSize,<br \/>\n_Out_ SIZE_T *lpNumberOfBytesWritten<\/p>\n<p style=\"padding-left: 30px;\">);<\/p>\n<p><em>The WriteProcessMemory function.<\/em><\/p>\n<p>Once the final WriteProcessMemory step completes, we can extract the payload from the memory with the address of the buffer.<\/p>\n<p><em>Extracting the payload from memory.<\/em><\/p>\n<p>After extracting the payload, we can see the language used and the original compilation date, which is close to the infection date.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Summary of the payload.<\/em><\/p>\n<p>A program database file shows us some information\u00a0about the original name, MyEncrypter2:<\/p>\n<p>&nbsp;<\/p>\n<p>The sample also uses some tricks to avoid analysis:<\/p>\n<p>&nbsp;<\/p>\n<p><em>Zcrypt\u2019s antidebugging tricks.<\/em><\/p>\n<p>To encrypt the files on the system, the sample uses OpenSSL. We can find some references in the code:<\/p>\n<p><em>References to OpenSSL.<\/em><\/p>\n<p>This code is related to evp_enc.c, which we can find on github.<\/p>\n<p><em>Further references to OpenSSL.<\/em><\/p>\n<p>All files <a href=\"https:\/\/github.com\/openssl\/openssl\/tree\/master\/crypto\">can be found here.<\/a><\/p>\n<p>The list of targeted files:<\/p>\n<p style=\"padding-left: 30px;\">.zip, .mp4, .avi, .mkv, .wmv, .swf, .pdf, .sql, .txt, .jpeg, .jpg, .png, .bmp, .psd, .doc, .docx, .rtf, .xls, .xlsx, .odt, .ppt, .pptx, .xml, .cpp, .asm, .php, .aspx, .html, .conf, .sln, .mdb, .3fr, .accdb, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .dbf, .dcr, .der, .dng, .dwg, .dxf, .dxg, .eps, .erf, .indd, .kdc, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odp, .ods, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .pst, .ptx, .r3d, .raf, .raw, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .jnt, .pub, .trc, .tar, .jsp, .mpeg, .msg, .log, .vob, .max, .3ds, .3dm, .cgi, .jar, .class, .java, .bak, .pdb, .apk, .sav, .cbr, .pkg, .tar.gz, .fla, .vcxproj, .XCODEPROJ, .eml, .emlx, .mbx, .vcf<\/p>\n<p><em>Targeted extensions.<\/em><\/p>\n<p>The sample also tries to create autorun.inf in the connected drive or network drive using the function GetDriveType. With this capability the malware is able to self-replicate and infect more people without human action. (For more, see <a href=\"https:\/\/msdn.microsoft.com\/en-gb\/library\/windows\/desktop\/aa364939%28v=vs.85%29.aspx\">https:\/\/msdn.microsoft.com\/en-gb\/library\/windows\/desktop\/aa364939%28v=vs.85%29.aspx<\/a>.)<\/p>\n<p style=\"padding-left: 30px;\">UINT WINAPI GetDriveType(\u00a0 _In_opt_\u00a0LPCTSTR lpRootPathName);<\/p>\n<p><em>The GetDriveType function.<\/em><\/p>\n<p><em>GetDriveType in the sample.<\/em><\/p>\n<p><em>The AutoRun file.<\/em><\/p>\n<p><em>Creating an AutoRun file on a removable drive.<\/em><\/p>\n<p>To download a file from the server, the sample uses the function URLDownloadToFile and CreateFile to copy the files onto the infected machine.<\/p>\n<p><em>Downloading and creating the PNG file from the remote site.<\/em><\/p>\n<p>Finally the sample creates a batch file to delete some files, such as the private key. The malware runs the file with the function WinExec with the option CMDShow set to \u201c0\u201d to avoid to displaying command window. (For more, see https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/ms633548%28v=vs.85%29.aspx)<\/p>\n<p><em>Creating and running the batch file. <\/em><\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>This short analysis of Zcrypt shows us that ransomware continues to gain capabilities to infect more systems. It is interesting to note that CryptoLocker actors also used the Nullsoft installer last year.<\/p>\n<p>To protect yourself and your systems against this type of threat, read <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/solution-briefs\/sb-how-to-protect-against-ransomware.pdf\"><em>How to Protect Against Ransomware.<\/em><\/a><\/p>\n<p>Indicators of compromise:<\/p>\n<ul>\n<li>hxxp:\/\/dedicate-hosting.ml<\/li>\n<li>exe = 4e971d8a160579a5ef60b214aed0008a<\/li>\n<li>cCS = c0232ecc947fa7332187dca7f3ce3eb1<\/li>\n<li>9 = e7a1c862460e65f0fde91d9020b3f3f5<\/li>\n<li>dll = 843f7d05fa78119554496bbc042c6147<\/li>\n<li>mem = 5fde78da66d1d44d4993a0945e025311<\/li>\n<\/ul>\n<p>Related sample:<\/p>\n<ul>\n<li>d1e75b274211a78d9c5d38c8ff2e1778<\/li>\n<li>hxxp:\/\/qwertyuiop.gp<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious&#8230;<\/p>\n","protected":false},"author":839,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[4688],"class_list":["post-50367","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Zcrypt Expands Reach as \u2018Virus Ransomware\u2019 | McAfee Blog<\/title>\n<meta name=\"description\" content=\"McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious attachment or\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019 | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious attachment or\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-06-08T18:45:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-09T03:11:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture1.jpg\" \/>\n<meta name=\"author\" content=\"Thomas Roccia\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@fr0gger_\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Thomas Roccia\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/\"},\"author\":{\"name\":\"Thomas Roccia\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7\"},\"headline\":\"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019\",\"datePublished\":\"2016-06-08T18:45:21+00:00\",\"dateModified\":\"2025-06-09T03:11:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/\"},\"wordCount\":1363,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/\",\"name\":\"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019 | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2016-06-08T18:45:21+00:00\",\"dateModified\":\"2025-06-09T03:11:32+00:00\",\"description\":\"McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious attachment or\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7\",\"name\":\"Thomas Roccia\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/219099eb1ee40018f72bf1e381c6bd75\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png\",\"caption\":\"Thomas Roccia\"},\"description\":\"Thomas Roccia is senior security researcher on the Advanced Threat Research team. He works on threat intelligence, tracking cybercrime campaigns and collaborating with law enforcement agencies. In a previous role, Thomas worked on the McAfee Foundstone team, performing worldwide incident response, malware hunting, and penetration testing. He has helped customers during major outbreaks and managed highly critical situations. Thomas has developed workshops, training courses, presentations, he leads the Unprotect Project, an open-source database dedicated to malware evasion techniques. His work in security research includes threat intelligence, malware, reverse engineering, vulnerabilities as well as innovation and patenting. He speaks regularly at security conferences.\",\"sameAs\":[\"http:\/\/troccia.tdgt.org\",\"https:\/\/www.linkedin.com\/in\/thomas-roccia\/\",\"https:\/\/x.com\/fr0gger_\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/thomas-roccia\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019 | McAfee Blog","description":"McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious attachment or","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019 | McAfee Blog","og_description":"McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious attachment or","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-06-08T18:45:21+00:00","article_modified_time":"2025-06-09T03:11:32+00:00","og_image":[{"url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Capture1.jpg","type":"","width":"","height":""}],"author":"Thomas Roccia","twitter_card":"summary_large_image","twitter_creator":"@fr0gger_","twitter_site":"@McAfee","twitter_misc":{"Written by":"Thomas Roccia","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/"},"author":{"name":"Thomas Roccia","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7"},"headline":"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019","datePublished":"2016-06-08T18:45:21+00:00","dateModified":"2025-06-09T03:11:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/"},"wordCount":1363,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["computer security","cybercrime","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/","name":"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019 | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2016-06-08T18:45:21+00:00","dateModified":"2025-06-09T03:11:32+00:00","description":"McAfee has recently seen a new kind of ransomware\u2013Zcrypt\u2014that can self-replicate. This \u201cvirus ransomware\u201d arrives via email in a malicious attachment or","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zcrypt-expands-reach-as-virus-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Zcrypt Expands Reach as \u2018Virus Ransomware\u2019"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/84a85fe82c49f836915869700f5168e7","name":"Thomas Roccia","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/219099eb1ee40018f72bf1e381c6bd75","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/08\/2-1-96x96.png","caption":"Thomas Roccia"},"description":"Thomas Roccia is senior security researcher on the Advanced Threat Research team. He works on threat intelligence, tracking cybercrime campaigns and collaborating with law enforcement agencies. In a previous role, Thomas worked on the McAfee Foundstone team, performing worldwide incident response, malware hunting, and penetration testing. He has helped customers during major outbreaks and managed highly critical situations. Thomas has developed workshops, training courses, presentations, he leads the Unprotect Project, an open-source database dedicated to malware evasion techniques. His work in security research includes threat intelligence, malware, reverse engineering, vulnerabilities as well as innovation and patenting. He speaks regularly at security conferences.","sameAs":["http:\/\/troccia.tdgt.org","https:\/\/www.linkedin.com\/in\/thomas-roccia\/","https:\/\/x.com\/fr0gger_"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/thomas-roccia\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/839"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=50367"}],"version-history":[{"count":5,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50367\/revisions"}],"predecessor-version":[{"id":215301,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50367\/revisions\/215301"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=50367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=50367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=50367"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=50367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}