Spam Campaign Distributing Locky Variant Zepto Ransomware

Zepto, supposedly a variant of the well-known Locky ransomware, was recently spotted in a distribution campaign that involved over 100,000 spam messages, Cisco Talos security researchers warn.

Spotted for the first time in February, Locky needed only a couple of weeks to become one of the largest threats in the ransomware landscape, but it needed several months to spawn its first successor, it seems. This, however, doesn’t mean that the new piece of malware is less dangerous.

According to Warren Mercer, security researcher for Cisco Talos, the newly spotted campaign started on Monday, June 27, when around 4,000 spam emails were caught by the security firm’s defenses. However, the campaign ramped up fast over the next couple of days, reaching as many as 137,731 emails in as little as 4 days, the researcher explains.

The malware was being distributed via an attached .zip archive, which in turn packed a malicious JavaScript, researchers say. A closer look at the email campaign revealed a total of 3,305 unique samples, each named following the swift [XXX|XXXX].js scheme. In all of these messages, the cybercriminals attempted to lure victims by using various subject lines and various sender profiles, including ‘CEO’ or ‘VP of Sales’.

The body of the message suggested that users should look at their “requested” documentation, and also included mail-merged salutations. Throughout the attack, the email bodies and subject headers changed slightly, the researcher says.

As soon as the victim launched the attachment, the malicious JavaScript was executed. It would leverage wscript.exe to launch HTTP GET requests to a series of predefined command and control (C&C) domains, and Cisco Talos security researchers noticed that some of the samples would initiate connectivity to a single domain, whilst others would communicate with up to 9 domains.

Once executed, the downloaded malicious binary starts encrypting the local files in the background, appends the .zepto extension to them, and then displays a ransom note demanding that users to pay to regain access to their files. The ransom note is displayed both as an HTML file and as a picture, and the computer’s wallpaper is also changed to display the note, as can be seen in the video embedded below.

While the attack vector used by Zepto isn’t new, it clearly is one of the most used in ransomware campaigns, researchers note. The most important aspect of the newly observed campaign, however, is the fact that the new malware has tight connections to Locky: they are both distributed via malicious JS files, both leave behind the same type of files, and have similar ransom notes.             

“The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign. Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns,” Mercer concludes.

Since February, Locky has become the largest ransomware threat out there, courtesy of massive spam runs powered by the Necurs botnet. Distribution campaigns were also powered by the Nuclear exploit kit, which was used to serve 110,000 droppers for Locky. Researchers estimated that, if all droppers were successful and half of victims paid, cybercriminals could have made as much as $12,650,000 in these campaigns.

The Locky ransomware, which is supposedly operated by the group behind the Dridex Trojan, has seen numerous updates over the past couple of months as its authors attempted to improve its evasion techniques.