Looming Epidemic? Zepto Ransomware Found Spreading Via Massive Spam Campaign

Zepto is a recently-discovered ransomware variant that has been surging lately, thanks to a recent spam email campaign known to have distributed at least 130,000 spam emails that feature a new naming convention in just four days. Zepto is said to have ties with Locky, a ransomware family also known for its use of aggressive spam campaigns—among other methods—for widespread distribution.

According to Cisco Talos’ report, the ransomware spam campaign began using a new naming convention ("swift [XXX|XXXX].js") on June 27, making use of simple social engineering tactics to trick users into opening an attached document. These emails are crafted to appear more plausible by using the recipient’s first name. Once opened, the malicious Javascript will run in the background and encrypt all files on a user’s machine with the .zepto extension.

After a binary is downloaded and executed, local files are encrypted and the malware displays a message for the victim demanding payment in Bitcoin. The user receives instruction screens in an .HTML file dropped by the malware, an image file, and a background/wallpaper change. Zepto appears to be gaining some traction due to its efficient attack vector—a widespread spam campaign, whereas most ransomware is delivered via other vectors.

The Locky Connection

Zepto is known to share technical similarities with Locky (detected by Trend Micro as RANSOM_LOCKY.A), from its spam email-based distribution methods to its use of RSA encryption keys for locking certain file types. Since Locky’s discovery in February 2016, it has continued to evolve and successfully target both individuals and businesses, and has been used in a number of high-profile ransomware attacks on healthcare facilities.  

 [READ: How to defend against ransomware]

This isn't the first time that a new ransomware variant has been linked to Locky. Recently, a ransomware variant called Bart was found masquerading as photos and was being distributed via spam emails. Bart is also believed to have ties with Locky.

Because recent Locky variants such as Bart and Zepto—along with a number of other ransomware families—are known to be widely distributed through spam, there are a number of ways to prevent infection before they arrive in a victim's inbox. Best practices, such as avoiding opening email and attachments from unverified sources and disabling macros can help reduce risks posed by spam-based threats. Trend Micro™ Security Smart Protection Suites, and Worry-Free Business Security can protect users and SMBs from this threat by detecting malicious files, as well as blocking all links related to malicious URLs. Trend Micro Deep Discovery also has an Email Inspector feature that uses advanced detection techniques to identify and block emails that deliver ransomware and other malware.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.