Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Is Zepto ransomware the new Locky? : Zepto Resomware

  • This topic is locked This topic is locked
1 reply to this topic

#1 DEEKAY123456


  • Members
  • 1 posts
  • Gender:Male
  • Local time:03:31 AM

Posted 19 July 2016 - 05:24 AM

Beware the latest arrival on the ransomware scene: Zepto.

It’s very similar to the well-known Locky malware, and the consequences of an attack are the same: your files end up scrambled, at which point the crooks offer to sell you the decryption key.

In fact, the Zepto and Locky malware families are similar enough that when you get to Zepto’s “pay page,” where the crooks tell you how much you need to pay to unscramble your data, you see this:


There is one obvious difference from a Locky infection, however: after a Zepto attack, your files will have been renamed so that they end .zepto. (Locky got its name because it uses the extension.locky instead.)

The idea behind renaming all your files is so that you can see just how much is at stake if you don’t pay up.

You can see not only how near you are to recovering your precious data, but also just how far.

How Zepto arrives

In the past week, we’ve seen variants of Zepto distributed in two main ways, both of which are commonly used by ransomware criminals:

  • In emails with an attached ZIP archive.
  • In emails with an attached DOCM file.


In the first case, opening up the ZIP archive will unpack a file with a .JS (JavaScript) extension.

If JavaScript seems like a strange format for an attachment that claims to be a document, remember that Windows suppresses the .JS part of the name by default, and shows the file with an icon that gives the impression of a text file:


BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,953 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:01 PM

Posted 19 July 2016 - 06:48 AM

Yes, the newest Locky variant will also be renamed with random alpha-numerical characters but utilize the .zepto extension (i.e. 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto) and leave a ransom note pattern consisting of _(****)_HELP_instructions.txt/.bmp/.html...(i.e. _6789_HELP_INSTRUCTIONS.txt, _6789_HELP_INSTRUCTIONS.bmp, _6789_HELP_INSTRUCTIONS.html). More information in this BC News Article: New Locky version adds the .Zepto Extension to Encrypted Files

A repository of all current knowledge regarding Locky Ransomware is provided by Grinler (aka Lawrence Abrams), in this topic: Locky Ransomware Information, Help Guide, and FAQ.

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance.When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users