Steer clear of the aggressive Zepto ransomware
Sometimes preventing a piece of ransomware from compromising a computer is trivial. All it takes is caution with suspicious incoming emails. This approach alone may not help with some strains that use exploit kits to infect PCs, but the new sample called Zepto appears to stick with the phishing vector. Despite the ostensible ease of prevention, hundreds of users have fallen victim to it over the past week.
Zepto is a successor of the Locky ransomware, so the malicious programs share a number of common characteristics. In particular, the newcomer encrypts data using a mix of AES-128 and RSA-2048 ciphers, which is an unbreakable locking mechanism. It also uses the same decryption service page hosted on Tor, which can only be accessed via the Tor Browser Bundle.
With the obvious similarity in place, the latest iteration is different in several ways. Having encrypted files, it changes filenames according to a new principle and appends the .zepto string to each one. The user gets the initial recovery instructions in ransom notes titled _HELP_instructions.bmp and _HELP_instructions.html. This ransom Trojan sets the BMP file as the default Windows Desktop background. The steps are duplicated in the HTML edition, a copy of which appears inside every encoded folder.
What makes Zepto a highly severe ransomware is the fact that there is no free decryptor released by antimalware labs at this juncture. Every data file on the hard drive, connected thumb drives, network shares and offsite backup directories is first scrambled with the Advanced Encryption Standard. Then, the virus encodes the AES key with RSA, which is asymmetric and thus uses different keys for encryption and decryption.
The private RSA key stays outside the computer on the criminals’ secret C2 server and won’t be handed over the victim unless they pay 0.5 Bitcoins.
To avoid Zepto and keep one’s files safe and sound, it’s recommended to abstain from loading attachments that go with dubious emails. If the attack has occurred, users should leverage tried and tested data extraction techniques before paying the ransom.