Talos have observed a large uptick in the Zepto ransomware and have identified a method of distribution for the Zepto ransomware, Spam Email. Locky/Zepto continue to be well known ransomware variants and as such we will focus on the spam email campaign. We found 137,731 emails in the last 4 days using a new attachment naming convention. It was just coincidence that the number is a palindrome. The naming choice this time for this spam campaign is “swift [XXX|XXXX].js”, where ‘X’ is some combination of letter/numbers we have seen both 3 and 4 char strings after the “swift” name. This began Monday 27th June with approx 4000 emails being caught within our Email Security Appliances (ESA). This started to ramp up over the next few days, with spikes occurring around 7-10pm UTC and 7-10am over the next 4 days.
Fig1. Email Traffic
The body of the emails were generally urging the user to look at their “requested” documentation. The name of the attached .zip file is created by combining the username in the ‘To’ email address header, an underscore, plus a random number:
Fig2. Example email
The email body was also customized to include mail-merged salutations such as “Dear” and “Hello” which use the same string from the email address username. In our example above that would represent “Dear peter”. The email bodies changed slightly through the timeline of this attack, and also varied the Subject headers. We observed this attack primarily utilizing four Subject headers:
Fig3. Subject Breakdown
When run in a sandbox Zepto exhibits a number of questionable behaviors that quickly leads to its conviction as malware.
Fig4. ThreatGrid Behaviors
Fig5. Swift naming instances
Once the binary is downloaded and executed the machine begins a process of encrypting the local files and then demands ransom from the user to decrypt the files. The user will be presented with the following “_HELP_instructions” screens, both from Internet Explorer for the .HTML file dropped by the malware, an image file presented with Windows Picture & Fax Viewer and also a background/wallpaper change to highlight you have been encrypted using this piece of malware.
Fig6. Compromised victim view
This is not a new method of attack, however, it is one which is gaining ground. The phishing/spam campaigns now generally carry a large risk of associated ransomware and this is no different. The ability to withhold files from users is, unfortunately, becoming very normal with attacks that people are faced with everyday. Our adversaries do not care as to what they destroy or ransom from you, they simply care about their endgames, payment. The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign. Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns. Talos recommend you ensure you have a good backup strategy should you be hit with ransomware and we strongly advise that payment is never made to these actors.