Is Zepto ransomware the new Locky? : Zepto Resomware

Beware the latest arrival on the ransomware scene: Zepto.

It’s very similar to the well-known Locky malware, and the consequences of an attack are the same: your files end up scrambled, at which point the crooks offer to sell you the decryption key.

In fact, the Zepto and Locky malware families are similar enough that when you get to Zepto’s “pay page,” where the crooks tell you how much you need to pay to unscramble your data, you see this:

There is one obvious difference from a Locky infection, however: after a Zepto attack, your files will have been renamed so that they end .zepto. (Locky got its name because it uses the extension.locky instead.)

The idea behind renaming all your files is so that you can see just how much is at stake if you don’t pay up.

You can see not only how near you are to recovering your precious data, but also just how far.

How Zepto arrives

In the past week, we’ve seen variants of Zepto distributed in two main ways, both of which are commonly used by ransomware criminals:

• In emails with an attached ZIP archive.
• In emails with an attached DOCM file.

In the first case, opening up the ZIP archive will unpack a file with a .JS (JavaScript) extension.

If JavaScript seems like a strange format for an attachment that claims to be a document, remember that Windows suppresses the .JS part of the name by default, and shows the file with an icon that gives the impression of a text file:

Yes, the newest Locky variant will also be renamed with random alpha-numerical characters but utilize the .zepto extension (i.e. 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto) and leave a ransom note pattern consisting of _(****)_HELP_instructions.txt/.bmp/.html...(i.e. _6789_HELP_INSTRUCTIONS.txt, _6789_HELP_INSTRUCTIONS.bmp, _6789_HELP_INSTRUCTIONS.html). More information in this BC News Article: New Locky version adds the .Zepto Extension to Encrypted Files

A repository of all current knowledge regarding Locky Ransomware is provided by Grinler (aka Lawrence Abrams), in this topic: Locky Ransomware Information, Help Guide, and FAQ.

There is an ongoing discussion in this topic where you can post comments, ask questions and seek further assistance.

• Locky Ransomware Support & Help Topic - _Locky_recover_instructions.txt

When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff