Locky ransomware variant Zepto hits users via email

A new version of Locky ransomware that has been dubbed “Zepto” due to the .zepto extension added to encrypted files is successfully extorting users around the world.

Zepto has first been spotted a little over a week ago, when it began being delivered to victims via spam email.

The emails sport various subject lines that indicate that the sender is sending in a new invoice, a (financial) report, or document copies that have been requested by the recipient:

Spam email delivering Zepto

“The name of the attached .zip file is created by combining the username in the ‘To’ email address header, an underscore, plus a random number. The email body was also customized to include mail-merged salutations such as ‘Dear’ and ‘Hello’ which use the same string from the email address username,” Cisco Talos researchers note.

The attached file contains a malicious JavaScript file. When run, it downloads the Zepto ransomware binary from a C&C server and executes it.

The malware immediately starts encrypting files, and at the end shows a note that instructs the victim to use the Tor Browser to visit an .onion site for instructions on how to pay the ransom.

Locky (and, consequently, Zepto) is able to encrypt a great many types of files, located on the computer’s local drives, but also on removable and mapped drives, unmapped network shares, and Dropbox folders.

Unfortunately, there is still no decryption tool for files encrypted by this particular ransomware.

Paying the ransom (usually around 0.5 bitcoin) could get the victims their files back, or not – nothing’s guaranteed. Another option is to back up the encrypted files, and hope that a decryptor will be developed in the (hopefully near) future.

Bleeping Computer also outlined a few approaches that might result in some of the encrypted files being recovered.

If you’re in charge of an organization’s IT security, check out these tips for preventing ransomware attacks.