Zepto Ransomware Soars

InfoSecurity Magazine- Phil Muncaster

Security researchers are warning users of a spike in spam emails containing a variant of the infamous Locky ransomware, known as Zepto.

Cisco’s Talos team spotted 137,731 emails in just four days, containing over 3300 unique samples, according to technical lead, Warren Mercer.

Most of the emails used simple social engineering, asking the user to look at an attached document they had ‘requested.’

Emails are also crafted to appear more convincing by greeting the recipient by first name, he explained.

Once opened, the malicious JavaScript will run in the background, encrypting all files on a user’s machine with the .zepto extension.

Some samples only contacted one C&C server whilst others communicated with up to nine domains, the researcher continued.

Once the encryption has been done, the malware will display a message for the victim, demanding payment.

“The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign,” said Mercer.

“Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns. Talos recommend you ensure you have a good backup strategy should you be hit with ransomware and we strongly advise that payment is never made to these actors.”

Meanwhile the Locky ransomware continues to evolve, causing devastation to individuals and businesses as it goes.

When it first burst onto the scene earlier this year, the botnet distributing it was shown to be the same one spreading Dridex banking malware.

In March, FireEye noted a sharp spike in Locky spam with users impacted in over 50 countries.