Ransomware called Zepto is raising concerns with security experts because of its close ties to the more mature and prolific Locky ransomware. Zepto was spotted about a month ago but a recent wave of spam containing Zepto-laced attachments detected on June 27 is heightening fears of widespread infections.
“We are watching Zepto very carefully. It’s closely tied to Locky, sharing many of the same attributes,” said Craig Williams, senior technical leader and global outreach manager at Cisco Talos. “There is still a lot to learn about Zepto. As far as we can tell, it’s either a new variant of Locky or an entirely new ransomware with many copycat Locky features,” he said.
Cisco Talos, which published its findings on the ransomware Thursday, said 137,731 spam messages have been found this week that contain the Zepto malicious attachment. The Zepto name comes from the .zepto suffix used as the extension for encrypted files.
Technical details of Zepto are similar to Locky in many ways, said Warren Mercer, security researcher for Cisco Talos. Comparisons include the type of RSA encryption keys used by Locky, the types of files Zepto and Locky leave behind and similarities to the ransom text.
“We are moving quickly and pulling apart as many samples as we can to understand if this is still Locky or something unique,” Mercer said.
Williams said as ransomware infections have skyrocketed its created a rush to market of limited and ineffective ransomware. However, while Zepto may be limited for now, it’s not ineffective.
“This one we are concerned about. It’s professionally built ransomware that is going to infect tens of thousands of users. It’s definitely on the top of radar,” he said.
Infection is via a “.zip” file email attachment that contain a malicious “.js” JavaScript executable. Once the JavaScript goes to work it runs quietly on the victim’s machine slowly locking files with the .zepto extension.
A closer examination of the JavaScript revealed 3,305 unique samples from the 137,000 emails.
“Once executed the malicious JavaScript uses ‘wscript.exe’ to launch HTTP GET requests to the defined C2 domains – this is where some of the samples differed as some would initiate connectivity to a single domain, whilst others, would communicate with up to 9 domains,” according to the technical write-up of Zepto.
The distribution of Zepto is via spam spewing botnets that are taking a spray-and-pray targeting approach. While initial totals of 137,731 spam messages may seem low compared to other ransomware campaigns that send out as many as 50 million messages a day, Williams said the numbers for Zepto are impressive for new ransomware just out of the gate.
Researchers say malicious emails are customized to include the email recipient’s first name within the message body’s salutation. Subject lines are mostly invoice ploys or ones that included CCed documents and financial reports.
Currently only about eight percent of spam email include malicious attachments.
“If Zepto sticks with this attack vector it may never become a serious threat. However, it’s very likely Zepto moves into exploit kits as time goes on,” Williams said. “A move by Zepto to malvertising, for example, could get bad very fast,” he said.