infonews.co.nz
INDEX
TECHNOLOGY

Zepto ransomware campaign continues with an installation tweak

Thursday 8 September 2016, 12:33AM

By Primo V.

744 views

Heredity appears to be one of the properties of the present-day crypto ransomware. Old strains are being continuously taken over by new ones that may seem to be designed from scratch at first sight but are actually modified variants of their predecessors. The Zepto infection, which surfaced in early June this year, turned out to be a spinoff of Locky, a highly invasive threat that had caused thousands of Windows users around the globe to pay for restoring their data.

There are quite a few common denominators in these two campaigns. They share the same Command and Control infrastructure, so the cybercrooks didn’t have to reinvent the wheel in this regard. The cryptographic algorithms used by the two didn’t undergo any appreciable changes – Zepto still employs a combo of RSA-2048 and AES-128 ciphers to render victims’ files inaccessible. Furthermore, the Tor payment gateway for both samples is titled the “Locky Decryptor Page”.

With all these identical attributes in place, there have been notable alterations made to the new breed. Zepto uses a different file naming format, replacing one’s filenames with 32 hexadecimal characters and appending the .zepto extension rather than .locky. Another change has to do with ransom notes that are now titled “_HELP_instructions.html” and “_HELP_instructions.bmp”. The latest tweak involves the use of a DLL file to execute the ransomware on a targeted computer. This approach is intended to obfuscate the infection on the trespass phase and thus help it fly under the radar of antivirus suites.

Zepto requires 0.5 Bitcoin, or 286 USD at the time of writing, for decryption of the locked files. Essentially, it’s only after the payment that the automated recovery service will provide the victim with the private RSA key and the decrypt tool. There is currently no efficient way to restore the .zepto files other than the ransom route, so be sure to focus on prevention and abstain from opening suspicious email attachments.