Researchers have recently noticed that the Locky`s Zepto Ransomware version in now being distributed via a new campaign. Until now, the crooks behind the malicious Zepto installer were using zipped JavaScript files for its propagation but now they have switched to Windows Script Files instead. The WSF files are send to victims as attachments via emails disguised as invoices, banking reports, shipping information etc. This is how such a fake email looks like:
“How is it going?
Thank you very much for responding my email in a very short time. Attached is the bank account report. Please look at it again and see if you have any disapproval.
King regards,”
The Windows Script Host executes the WSF files onto the victim`s device. A single WSF files can contain a code using multiple languages, for instance, both VBScript and JavaScript codes can be hold in one file. Even though the Zepto Ransomware is distributed via WSF files, for now, researchers have noticed it using only JavaScript code to download and install the ransomware.
Once Zepto arrives at its destination it encrypts all of the victims` data. It also changes the names of the files with random ones so the victim wouldn’t know which file is which. The ransomware appends the “.zepto” extension at the end of all encrypted files.
The bad news is that, at this point, a free Zepto decryptor hasn’t been created.
