Is Zepto ransomware the new Locky?

Thanks to
Graham Chantry, Fraser Howard and Benjamin Humphrey
of SophosLabs for their work on this article.

Beware the latest arrival on the ransomware scene: Zepto.

It’s very similar to the well-known Locky malware, and the consequences of an attack are the same: your files end up scrambled, at which point the crooks offer to sell you the decryption key.

In fact, the Zepto and Locky malware families are similar enough that when you get to Zepto’s “pay page,” where the crooks tell you how much you need to pay to unscramble your data, you see this:

There is one obvious difference from a Locky infection, however: after a Zepto attack, your files will have been renamed so that they end .zepto. (Locky got its name because it uses the extension .locky instead.)

The idea behind renaming all your files is so that you can see just how much is at stake if you don’t pay up.

You can see not only how near you are to recovering your precious data, but also just how far.

How Zepto arrives

In the past week, we’ve seen variants of Zepto distributed in two main ways, both of which are commonly used by ransomware criminals:

• In emails with an attached ZIP archive.
• In emails with an attached DOCM file.

In the first case, opening up the ZIP archive will unpack a file with a .JS (JavaScript) extension.

If JavaScript seems like a strange format for an attachment that claims to be a document, remember that Windows suppresses the .JS part of the name by default, and shows the file with an icon that gives the impression of a text file:

Opening the JavaScript file, however, runs the script program inside, which in turn downloads the ransomware as an EXE (Windows program) file, and runs it.

In the second case, the attachment is DOCM, so that double-clicking on the file opens it by default in Microsoft Word.

But DOCM is short for “document with macros,” a special type of document that contains embedded scripts written in VBA (Visual Basic for Applications).

VBA is a programming language that has many similarities with JavaScript, and that can be used for much the same purposes, including spreading malware.

Macros inside a Word file don’t run by default (a security precaution introduced many years ago by Microsoft), but they do produce a prompt like the one here, as good as inviting you to use the [Options] button to adjust your security settings.

In the recent Zepto attacks we’ve seen, the booby-trapped documents were blank, opening rather unusually to an empty page:

Most documents that carry macro-based ransomware include some sort of explanation or excuse to encourage you to click [Options] and change your security settings – often, ironically, under the guise of improving security somehow.

Here, the crooks have kept quiet, hoping you’ll click on [Options] of your own accord.

We’re not sure whether this was by accident (because they forgot to include explanatory instructions), or by design (to avoid the sort of message that has become widely associated with ransomware).

Enabling macros has the same side-effect as opening the JavaScript file above: the VBA script downloads the ransomware as an EXE (Windows program) file, and runs it.

Sophos products detect and block these attack vectors under a variety of names, including: Mal/DrodZp-A (attached ZIP files), Troj/JSDldr-LU (JavaScript downloaders inside the ZIPs), Troj/DocDl-DUN (attached Word macro files), Mal/Ransom-EM and Troj/Ransom-DJF (the ransomware EXE files).

Time to pay

Much like Locky, Zepto starts off by “calling home” to a web server run by the crooks, from which it downloads an encryption key to scramble your data.

The crooks keep the corresponding decryption key to themselves, which is what they later offer to sell back to you. (See above, where the asking price is half a bitcoin – BTC 0.5, currently about $300.)

Your data files are both scrambled and renamed, so that encrypted files end up with names that look like this:

FA3D5195-3FE9-1DBC-E35E-89380D21F515.zepto
FA3D5195-3FE9-1DBC-7E8D-D6F39B86044A.zepto
FA3D5195-3FE9-1DBC-1683-7BF4FD77911D.zepto
FA3D5195-3FE9-1DBC-30B9-E2FF891CDB11.zepto

The first half of each name is the same for every file, and is a unique identifier that tells the crooks who you are if you decide to pay up to get your data back.

After your files are scrambled, Zepto presents a “how to pay” message, to make very sure you know that you can recover your data for a fee.

The message appears in three different ways: as your desktop wallpaper; in an image that’s opened up in the Windows Photo Viewer; and as an HTML page that’s saved into every directory where files have been scrambled.

The personal identification ID in the “how to pay” message is the same as the first half of each scrambled filename.

Following the instructions in _HELP_instructions.html takes you to the “pay page” shown at the start of the article.

What to do?

We regularly offer advice on preventing (and recovering from) attacks by ransomware and other nasties.

Here are some links we think you’ll find useful:

• To defend against ransomware in general, see our article How to stay protected against ransomware.
• To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
• To protect against misleading filenames, tell Explorer to show file extensions.
• To protect against VBA malware, tell Office not to allow macros in documents from the internet.
• To learn more about ransomware, listen to our Techknow podcast.