Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Zepto Ransomware Malware Security Advisory

August 2016 by eSentire

Recently eSentire has seen a new ransomware (malware) variant referenced as Zepto in the wild. In order to help our customers address this threat we have outlined our detailed investigation into the behavior and mitigation methods applicable to Zepto ransomware.

What We Know about Zepto Ransomware

Behavior of Zepto:

Most common infections occur through spam emails with .ZIP and .DOCM attachments related to attached documents and scanned files
The .ZIP file will contain a .JS (JavaScript) file
The .DOCM contains embedded scripts written in VBA (Visual Basic for Applications)
Social engineering campaigns may be used as part of this infection vector
Zepto works by connecting to the Command and Control server and downloading the public key to use in the encryption of files. It then deletes all Shadow Volume Copies so that the machine cannot be restored using files from the Shadow Volumes
This means restoration can only occur using backups or possibly paying the ransom
The ransomware will scan the infected machine and encrypt data files such as text, image, and video files as well as office documents
In most cases the encryption of files begins immediately, there may be instances where there is a 24 hour period before the ransomware begins to encrypt files
Typically ransomware variants will change the wallpaper of the infected machine to the ransom note once encryption is complete

Additional Information:

This is a new ransomware similar to Locky
Files are encrypted with an RSA public key
Encrypted files will have a .zepto extension
Awareness is needed for any emails that claim to be:

A Xerox copier delivering a PDF of an image
A major delivery service like UPS or FedEx offering tracking information
A bank letter confirming a wire or money transfer [Phishing emails]
As this is a new variant some information is not known:

It is not currently known if paying the ransom will actually decrypt files. Be cautious as some variants have not actually decrypted the files properly The cost of the ransom for decryption is typically $400/£280

eSentire Defense

While no single safeguard will be 100% effective in preventing ransomware infections, there are some eSentire features that work to protect you.

eSentire features that help protect you:

Executioner can stop the download of malicious payloads over HTTP if it is enabled for eSentire Network Interceptor™
Network Interceptor integration with Next Generation Firewalls/Proxies (Palo Alto; Blue Coat) enable detection of malicious payloads over encrypted HTTPS connection
Asset Manager Protect (AMP) works to disrupt the communication between infected machines and known command and control servers
With the eSentire Host Interceptor™ service, the ESOC has the ability to quarantine suspected systems at your direction or based on established policy
Behavioral analysis tools can detect anomalous network behavior to prompt further investigation

Additional Protection

The following should be considered as best practices. Some organizations may not be able to incorporate all recommendations based on their business requirements. eSentire suggests customers review the following and consider implementation.

How to further protect yourself from this emerging threat:

Disable wscript.exe to stop Javascript files (or default notepad.txt to open .js files)
Disable Microsoft Word macros via GPO to stop malicious DOCs
Disable Powershell (Restrict to only IT personnel which have business requirement)
eSentire recommends only allowing email attachments that are needed and blocking the following file types on your SMTP server (.js, .wsf, .zip, .docm, .vbs, .exe, .msi, .dll)
Ensure your endpoint anti-virus systems are updated to the most recent version
Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files)
User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments)
Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
Remind users to be cautious when clicking on links in emails coming from trusted sources


Naked Security - Is Zepto ransomware the new Locky? - New Locky variant – Zepto Ransomware Appears On The Scene
Malware Tips - Remove Zepto ransowmare (.zepto Files Encrypted Malware) Microsoft Technet - New feature in Office 2016 can block macros and help prevent infection
Microsoft Technet - Disabling Windows Script Host
The Windows Club - Prevent and block Macros from running in Microsoft Office using
Group Policy
Windows ITPro - Controlling the PowerShell Execution Policy Settings in a Domain

See previous articles


See next articles