santiago silver - Fotolia
Ransomware that locks up business critical data and demands payment to release it continues to increase in popularity with cyber criminals, and a fresh campaign is underway, warn researchers.
There has been a huge increase in the number of spam messages designed to infect unwary recipients’ computers with the Zepto ransomware, according to Cisco’s Talos security intelligence and research group.
Zepto is a variant of Locky, which was one of the most widespread ransomware attacks in the first quarter of 2016, affecting organisations in 114 countries.
Security researchers are keeping a close watch on Zepto and trying to find out as much as they can because of its close ties with Locky, its professional build and the fact that there is still no known method of decrypting the information.
Talos reseachers are particularly concerned that Zepto will move into exploit kits and that attackers will move on from spam to other distribution methods, such as malvertising, according to ThreatPost.
Zepto shares several technical similarities with Locky, including the use of similar RSA encryption keys and file types to infect systems.
In May 2016, security researchers at Kasperky Lab and FireEye identified ransomware as the top threat to business. In April 2016, Eset reported that ransomware accounted for around a quarter of cyber threats targeting internet users in the UK.
Talos researchers report that a fresh Zepto spam campaign started on 27 June 2016, with 137,731 spam messages carrying the ransomware recorded in the first four days.
Read more about ransomware
- Businesses still get caught by ransomware even though straightforward avoidance methods exist.
- Criminals used devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, said security firm Damballa.
- The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
- The CryptoLocker ransomware caught many enterprises off guard, but there is a defence strategy that works.
The body of the emails generally urge the recipient to look at their “requested” documentation, while the name of the attached .zip file is created by combining the recipient’s name and a random number such as pdf_copy-peter_461397.
Once the binary is downloaded and executed, the machine begins a process of encrypting the local files and then demands ransom in Bitcoin to decrypt the files.
Phishing campaigns on the rise
This is not a new method of attack, but it one that is gaining ground, according to Warren Mercer, technical lead of engineering at Talos.
“The phishing/spam campaigns now generally carry a large risk of associated ransomware, and this is no different. The ability to withhold files from users is, unfortunately, becoming very normal with attacks that people are faced with everyday,” he wrote in a blog post.
According to Mercer, cyber attackers do not care what they destroy, but simply care about securing payment from their victims.
“The email attack vector will continue to be used as email is an everyday occurrence and the ability to generate large lists of emails for spam campaigns such as this is growing easier,” he said.
“The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign.”
Mercer said while ensuring users are careful with email attachments will help reduce the likelihood of infection, businesses should have a good file backup strategy.
Talos also recommends the use of systems to prevent the execution of malware, web scanning tools to block access to malware sites, next generation firewalls to detect malicious network activity and email scanning systems to block malicious email campaigns.
According to the Dowser website, Zepto is one of the most difficult pieces of malware to deal with and detect before it is too late.
Prevention is better than cure, and Dowser provides some hints and guidelines on how to detect Zepto and limit the damage it can do.