santiago silver - Fotolia

Huge uptick in Zepto ransomware spam, warn researchers

Security researchers have raised concerns that attackers are gearing up for a massive Locky-related ransomware campaign

Ransomware that locks up business critical data and demands payment to release it continues to increase in popularity with cyber criminals, and a fresh campaign is underway, warn researchers.

There has been a huge increase in the number of spam messages designed to infect unwary recipients’ computers with the Zepto ransomware, according to Cisco’s Talos security intelligence and research group.

Zepto is a variant of Locky, which was one of the most widespread ransomware attacks in the first quarter of 2016, affecting organisations in 114 countries.

Security researchers are keeping a close watch on Zepto and trying to find out as much as they can because of its close ties with Locky, its professional build and the fact that there is still no known method of decrypting the information.

Talos reseachers are particularly concerned that Zepto will move into exploit kits and that attackers will move on from spam to other distribution methods, such as malvertising, according to ThreatPost.

Zepto shares several technical similarities with Locky, including the use of similar RSA encryption keys and file types to infect systems.

In May 2016, security researchers at Kasperky Lab and FireEye identified ransomware as the top threat to business. In April 2016, Eset reported that ransomware accounted for around a quarter of cyber threats targeting internet users in the UK.

Talos researchers report that a fresh Zepto spam campaign started on 27 June 2016, with 137,731 spam messages carrying the ransomware recorded in the first four days.

Read more about ransomware

All use a compressed .zip archive which included a malicious javascript file used to infect the recipients computer with the Zepto ransomware. All the javascript files name start with “swift” and are followed by a set of hexadecimal characters.

The spam messages use various subject lines, such as “document copies”, and various sender profiles, such as “CEO”, to encourage recipients to open the message and execute the malicious javascript.

The body of the emails generally urge the recipient to look at their “requested” documentation, while the name of the attached .zip file is created by combining the recipient’s name and a random number such as pdf_copy-peter_461397.

The malicious javascript uses ‘wscript.exe’ to launch HTTP GET requests to the defined command and control (C&C) domains, with some samples initiating connectivity to a single domain, while others connected to up to nine domains.

Once the binary is downloaded and executed, the machine begins a process of encrypting the local files and then demands ransom in Bitcoin to decrypt the files.

Phishing campaigns on the rise

This is not a new method of attack, but it one that is gaining ground, according to Warren Mercer, technical lead of engineering at Talos.

“The phishing/spam campaigns now generally carry a large risk of associated ransomware, and this is no different. The ability to withhold files from users is, unfortunately, becoming very normal with attacks that people are faced with everyday,” he wrote in a blog post.

According to Mercer, cyber attackers do not care what they destroy, but simply care about securing payment from their victims.

“The email attack vector will continue to be used as email is an everyday occurrence and the ability to generate large lists of emails for spam campaigns such as this is growing easier,” he said.

“The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign.”

Mercer said while ensuring users are careful with email attachments will help reduce the likelihood of infection, businesses should have a good file backup strategy.

Preventing Zepto

Talos also recommends the use of systems to prevent the execution of malware, web scanning tools to block access to malware sites, next generation firewalls to detect malicious network activity and email scanning systems to block malicious email campaigns.

To help information security teams, Talos has published hashes of indicators of compromise for the Zepto ransomware campaign.

According to the Dowser website, Zepto is one of the most difficult pieces of malware to deal with and detect before it is too late.

Prevention is better than cure, and Dowser provides some hints and guidelines on how to detect Zepto and limit the damage it can do.

Read more on Hackers and cybercrime prevention