Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Spam Campaign Distributing Locky Variant Zepto Ransomware

Zepto, supposedly a variant of the well-known Locky ransomware, was recently spotted in a distribution campaign that involved over 100,000 spam messages, Cisco Talos security researchers warn.

Zepto, supposedly a variant of the well-known Locky ransomware, was recently spotted in a distribution campaign that involved over 100,000 spam messages, Cisco Talos security researchers warn.

Spotted for the first time in February, Locky needed only a couple of weeks to become one of the largest threats in the ransomware landscape, but it needed several months to spawn its first successor, it seems. This, however, doesn’t mean that the new piece of malware is less dangerous.

According to Warren Mercer, security researcher for Cisco Talos, the newly spotted campaign started on Monday, June 27, when around 4,000 spam emails were caught by the security firm’s defenses. However, the campaign ramped up fast over the next couple of days, reaching as many as 137,731 emails in as little as 4 days, the researcher explains.

The malware was being distributed via an attached .zip archive, which in turn packed a malicious JavaScript, researchers say. A closer look at the email campaign revealed a total of 3,305 unique samples, each named following the swift [XXX|XXXX].js scheme. In all of these messages, the cybercriminals attempted to lure victims by using various subject lines and various sender profiles, including ‘CEO’ or ‘VP of Sales’.

The body of the message suggested that users should look at their “requested” documentation, and also included mail-merged salutations. Throughout the attack, the email bodies and subject headers changed slightly, the researcher says.

As soon as the victim launched the attachment, the malicious JavaScript was executed. It would leverage wscript.exe to launch HTTP GET requests to a series of predefined command and control (C&C) domains, and Cisco Talos security researchers noticed that some of the samples would initiate connectivity to a single domain, whilst others would communicate with up to 9 domains.

Once executed, the downloaded malicious binary starts encrypting the local files in the background, appends the .zepto extension to them, and then displays a ransom note demanding that users to pay to regain access to their files. The ransom note is displayed both as an HTML file and as a picture, and the computer’s wallpaper is also changed to display the note, as can be seen in the video embedded below.

While the attack vector used by Zepto isn’t new, it clearly is one of the most used in ransomware campaigns, researchers note. The most important aspect of the newly observed campaign, however, is the fact that the new malware has tight connections to Locky: they are both distributed via malicious JS files, both leave behind the same type of files, and have similar ransom notes.             

“The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign. Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns,” Mercer concludes.

Since February, Locky has become the largest ransomware threat out there, courtesy of massive spam runs powered by the Necurs botnet. Distribution campaigns were also powered by the Nuclear exploit kit, which was used to serve 110,000 droppers for Locky. Researchers estimated that, if all droppers were successful and half of victims paid, cybercriminals could have made as much as $12,650,000 in these campaigns.

The Locky ransomware, which is supposedly operated by the group behind the Dridex Trojan, has seen numerous updates over the past couple of months as its authors attempted to improve its evasion techniques.


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.