WatchPoint Security Blog

Zepto Virus - The Newest Form of Ransomware

Written by Jordan Kadlec | July 12, 2016

2016 cyber-crime statistics are on the rise. In the last six months, ransomware infections have increased an alarming 44 percent, and we continue to see new variations every day. Zepto Virus is the latest form of ransomware and appears to be a variation of well-known Locky.

Zepto Virus

Zepto works like most ransomware, seizing control of files on the victim’s computer and encrypting them. Much like its predecessor, Locky, the new virus changes the name of the files to its own extension: .zepto, which is how the ransomware got its name. Once the encryption process is complete, the virus changes the desktop image to a ransomware note, like the image below. The note informs the user of the actions that have taken place and provides instructions on how the victim can receive the decryption key.

As of now, the ransom is set at 0.5 Bitcoins which is roughly equivalent to $300 USD. However, the ransom is likely to increase substantially if a large business or organization is affected. With Zepto being the newest version of ransomware, some anti-virus and anti-malware programs are not detecting it. There has also yet to be a way of decrypting the files without paying the ransom or having a backup available.

How Zepto Works

Chances are you have received an email like the image below. Someone who is posing as a Sales Director or Account Representative with a receipt or memo that you apparently ‘requested’. Zepto arrives in one of two ways: in emails with an attached ZIP archive or in emails with an attached DOCM (document with macros) file.

In the first case, opening up with Zip archive will unpack a file with a JavaScript extension. Opening the JavaScript file runs the script program inside, which in turn downloads the ransomware file, and runs it. In the second case (DOCM), double-clicking on the file opens it up in Microsoft Word, and you’ll see a document like the image below.

While macros inside a Word file don’t run by default, they do produce a prompt that is included in the red box. This is where the cybercriminals are trying to get you! By clicking on options and enabling macros, the same side-effect as opening the JavaScript file occurs and the ransomware begins to download on your computer.

Once Zepto has been downloaded onto your computer and has encrypted your files, the image at the beginning of the article will appear. The image informs you on what has happened and includes instructions on how to pay the ransomware to decrypt your files. By following the instructions, you will be guided to the page below which includes a step-by-step process on how to buy and deliver Bitcoins as payment.

Don’t be another 2016 cyber-crime statistic. WatchPoint has a solution with CryptoStopper.io which protects against ransomware. CryptoStopper.io monitors your shared files and detects and isolates the attack the moment ransomware hits your network. An alert is sent to the administrator, and the host is disconnected from the server, minimizing any damage before encryption takes place.

While it is important to put as many barriers in place to prevent malware from hitting your network, there is nothing that can keep you 100% safe. Prevention is key, but protection is a must. Check out CryptoStopper.io and see how WatchPoint can protect your business from ransomware.