Beware the latest arrival on the ransomware scene: Zepto.
It’s very similar to the well-known Locky malware, and the consequences of an attack are the same: your files end up scrambled, at which point the crooks offer to sell you the decryption key.
In fact, the Zepto and Locky malware families are similar enough that when you get to Zepto’s “pay page,” where the crooks tell you how much you need to pay to unscramble your data, you see this:
There is one obvious difference from a Locky infection, however: after a Zepto attack, your files will have been renamed so that they end .zepto. (Locky got its name because it uses the extension.locky instead.)
The idea behind renaming all your files is so that you can see just how much is at stake if you don’t pay up.
You can see not only how near you are to recovering your precious data, but also just how far.
How Zepto arrivesIn the past week, we’ve seen variants of Zepto distributed in two main ways, both of which are commonly used by ransomware criminals:
- In emails with an attached ZIP archive.
- In emails with an attached DOCM file.
In the first case, opening up the ZIP archive will unpack a file with a .JS (JavaScript) extension.
If JavaScript seems like a strange format for an attachment that claims to be a document, remember that Windows suppresses the .JS part of the name by default, and shows the file with an icon that gives the impression of a text file: