Go to listing page

Understanding Zepto Ransomware: The new version of Locky

Understanding Zepto Ransomware: The new version of Locky

In June 2016, Zepto Ransomware which is a new version of the Locky ransomware was unearthed as its makers unleashed it upon the users worldwide, affecting computers across the globe. The basic principle of the Zepto Ransomware remains the same. It works like a typical ransomware does, seizing the files on a victim’s PC and encrypting them. Its trademark is that it changes the name of the files to its own extension: .zepto, which is why it has now become known as the Zepto Ransomware.

Modus Operandi of Zepto Ransomware

Stage 1


The process starts with “Social Engineering” in which the criminals try to psychologically manipulate the user to perform a desired task. This is carried out through “Spear Phishing” by sending emails with infected files. As of now there are two variants of the infected files.

  • Emails with an attached ZIP file
  • Emails with an attached DOCM file

Stage 2

Once the user clicks on the infected attachment, the file is downloaded. If it is a ZIP file, it will need to be extracted which will unpack a file with .JS extension which means it is a JavaScript. However, the Javascript attachment will look like an ordinary text file because Windows does not display the .JS extension. Once the user click opens this .JS file, it will automatically download the Zepto Ransomware.


If the email attachment is a DOCM (Document with Macros) file, double clicking it directly opens it in Microsoft Word. However, DOCM is a special type of file that contains scripts which are embedded in Visual Basics for Applications (VBA). VBA is somewhat similar to Javascript and is used for spreading malware. The essential trick with DOCM files lies in the fact that MACROS don’t run by default because it was disabled by Microsoft for security purposes. Instead Options to enable Macros is prompted on the screen. The cyber criminals have exploited this security feature as follows. Once the DOCM file opens, a blank page is displayed. Along with it an option to enable Macros is prompted on the screen. The gullible user enables the MACROS because he is tricked into believing that the file has empty contents because MACROS is disabled. Once the user enables the MACROS , the embedded VBA script runs and downloads the Ransomware.

Stage 3

This is the payment stage. Once the Ransomware is installed on your computer, all the files are encrypted and renamed with a .Zepto extension. The hackers convey the demand and procedure for ransom either by changing your desktop wallpaper, or an image file which opens in Windows Photo Viewer or an html file that is saved in every directory where files have been scrambled. These files contain all the steps you need to take for making payment and getting your files decrypted in return.

Cyware Publisher

Publisher

Cyware