Cyren researcher state that now, starting a weak ago, the entire Locky ransomware core could be distributed with a single Java Script file. What helped them realize that was the unusual change of the ZIP file`s size which suddenly grew from a few KBs to more than 250KB. Moreover, when the JS is opened a code editor detect a lot more code than before.
According to researchers, the actual Locky binary is already in this code and there is no need for it to be separately downloaded by the “downloader”. When the JS file is launched into execution the binary is saved on the victim`s computer and it automatically starts encrypting user`s files. Although, Locky`s Zepto ransomware is the only one to use this technique, this doesn`t come as a surprise to researchers.
The Zepto ransomware, as security researcher have been calling these Locky versions, leaves a “.zepto” extension during the encryption process.
A huge number of spam emails (137,731 in only four days) distributing the Zepto ransomware have been detected by Cisco about a month ago. They noticed, however, that this particular spam inflow hasn`t evolved yet and was still using the old two-step infection technique.
These alternatives, however, don’t apply to Zepto versions.