ZeroCrypt is an encryption ransomware trojan that identifies the encrypted files with the extension '.ZN2016'. This malware was devised to be a task in the ZeroNight 2016 hacker competition. To complete the task, participants were challenged to crack the encryption. It is the only known ransomware to be used in a ZeroNight competition. Sysenter was the first to crack the encryption.
Once ZeroCrypt encrypts a file, it is no longer accessible. ZeroCrypt demands that the victim pays a ransom in exchange for the decryption key that is necessary to recover the encrypted data.
When the file is opened or the link accessed, ZeroCrypt is downloaded and executed on the targeted computer. As soon as ZeroCrypt is downloaded, it will begin to carry out its attack.
During encryption, ZeroCrypt appends the ".zn2016" extension to the name of each compromised file (for example, "sample.jpg" becomes "sample.jpg.zn2016").
ZeroCrypt may inject corrupted scripts into Windows memory processes such as svchost.exe or explorer.exe to hide its activities in its background. ZeroCrypt makes modifications to the Windows Registry that allow it to run in the background and carry out its activities. Using a strong encryption algorithm, ZeroCrypt will begin encrypting the victim's files, generating a decryption key that also is encrypted and delivered to ZeroCrypt's Command and Control server.
Every time ZeroCrypt encrypts a file, it changes its extension, making it obvious which files are no longer accessible. Essentially, ZeroCrypt takes the victim's computer hostage until the victim pays the ransom.
ZeroCrypt demands its ransom by dropping text files on the victim's computer. The message the ransomware drops reads:
!!! IMPORTANT INFORMATION !!!
All of your files are encrypted with RSA-1024 and some secret ciphers.
Decrypting of your files is only possible with the secret key or decryption program, which is in our secret server.
To receive your secret key send 10 BTC on this bitcoin-address:
The secret key can decrypt the data on a single computer.
To receive your decryption program send 100 BTC on this bitcoin-address:
The decryption program can decrypt the data on all of your computers.
When you send money, please contact us at this email address:
ZeroCrypt's ransom note is quite rude, asking for the ridiculously high amount of 10 BitCoins (approximately $7200 USD at the current exchange rate). Most ransomware Trojans demand a payment amount between 0.5 and 1.5 BitCoins, which is already high. Asking for 10 BitCoins, with the threat of raising the amount to 100 BitCoins.
- Simultaneously hold down Windows+E keys.
- Enter %LOCALAPPDATA% in the address box and hit Enter.
- Find the folder named ZeroCrypt and Delete it.
- Close the File Explorer window.
- Then simultaneously hold down Windows+R keys.
- Enter regedit in the box and hit Enter.
- Find the registry string ZeroCrypt and delete it.It is the only known ransomware to be used in a ZeroNight competition.