Zepto Ransomware Malware

Recently eSentire has seen a new ransomware (malware) variant referenced as Zepto in the wild. In order to help our customers address this threat, we have outlined our detailed investigation into the behavior and mitigation methods applicable to Zepto ransomware.

What We Know about Zepto Ransomware

Behavior of Zepto:

• Most common infections occur through spam emails with .ZIP and .DOCM attachments related to attached documents and scanned files
• The .ZIP file will contain a .JS (JavaScript) file
• The .DOCM contains embedded scripts written in VBA (Visual Basic for Applications)
• Social engineering campaigns may be used as part of this infection vector
• Zepto works by connecting to the Command and Control server and downloading the public key to use in the encryption of files. It then deletes all Shadow Volume Copies so that the machine cannot be restored using files from the Shadow Volumes
• This means restoration can only occur using backups or possibly paying the ransom
• The ransomware will scan the infected machine and encrypt data files such as text, image, and video files as well as office documents
• In most cases the encryption of files begins immediately, there may be instances where there is a 24 hour period before the ransomware begins to encrypt files
• Typically ransomware variants will change the wallpaper of the infected machine to the ransom note once encryption is complete

Additional Information:

• This is a new ransomware similar to Locky
• Files are encrypted with an RSA public key
• Encrypted files will have a .zepto extension
• Awareness is needed for any emails that claim to be:
  • A Xerox copier delivering a PDF of an image
  • A major delivery service like UPS or FedEx offering tracking information
  • A bank letter confirming a wire or money transfer [Phishing emails]
  • As this is a new variant some information is not known:
    • It is not currently known if paying the ransom will actually decrypt files. Be cautious as some variants have not actually decrypted the files properly
    • The cost of the ransom for decryption is typically $400/£280

eSentire Defense

While no single safeguard will be 100% effective in preventing ransomware infections, there are some eSentire features that work to protect you.

eSentire features that help protect you:

• Executioner can stop the download of malicious payloads over HTTP if it is enabled for eSentire Network Interceptor™
• Network Interceptor integration with Next-Generation Firewalls/Proxies (Palo Alto; Blue Coat) enable detection of malicious payloads over an encrypted HTTPS connection
• Asset Manager Protect (AMP) works to disrupt the communication between infected machines and known command and control servers
• With the eSentire Host Interceptor™ service, the ESOC has the ability to quarantine suspected systems at your direction or based on established policy
• Behavioral analysis tools can detect anomalous network behavior to prompt further investigation

Additional Protection

The following should be considered as best practices. Some organizations may not be able to incorporate all recommendations based on their business requirements. eSentire suggests customers review the following and consider implementation.

How to further protect yourself from this emerging threat:

• Disable wscript.exe to stop Javascript files (or default notepad.txt to open .js files)
• Disable Microsoft Word macros via GPO to stop malicious DOCs
• Disable Powershell (Restrict to only IT personnel which have business requirement)
• eSentire recommends only allowing email attachments that are needed and blocking the following file types on your SMTP server (.js, .wsf, .zip, .docm, .vbs, .exe, .msi, .dll)
• Ensure your endpoint anti-virus systems are updated to the most recent version
• Ensure the use of proper user privileges
• Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files)
• User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments)
• Remind users not to visit untrusted websites or follow links provided by unknown or untrusted sources
• Remind users to be cautious when clicking on links in emails coming from trusted sources

Resources

• Naked Security - Is Zepto ransomware the new Locky?
• SecurityAffairs.co - New Locky variant – Zepto Ransomware Appears On The Scene
• Malware Tips - Remove Zepto ransomware (.zepto Files Encrypted Malware)
• Microsoft Technet - New feature in Office 2016 can block macros and help prevent infection
• Microsoft Technet - Disabling Windows Script Host
• The Windows Club - Prevent and block Macros from running in Microsoft Office using Group Policy
• Windows ITPro - Controlling the PowerShell Execution Policy Settings in a Domain