In keeping with the rising popularity of Locky/Zepto, a spam campaign distributing Zepto ransomware swelled from zero to 137,731 emails with malicious attachments using a new naming convention in just under four days, researchers at Cisco Talos observed.
“The surprise for us was the use of spam-email for ransomware,” Warren Mercer, the security researcher at Cisco Talos who penned a Thursday blog, told SCMagazine.com. “We continue to analyze the malware to determine if there is anything out of the ordinary or special about it.”
The naming convention for the campaign, which began June 27, is “swift [XXX|XXXX].js” with the X being a combination of letters and numbers the researchers have seen with both three and four characters strings after the name “swift.”
After a binary is downloaded and executed, local files are encrypted and a ransom demand is issued. The user receives help instruction screens “both from Internet Explorer for the .HTML file dropped by the malware, an image file presented with Windows Picture & Fax Viewer and also a background/wallpaper change to highlight you have been encrypted using this piece of malware.”
Mercer considers the campaign “to be a serious threat as there is no viable method of decrypting the information.”
The malware, he said, “specifically attempts to hold the end user at ransom for payment in Bitcoin. Depending on the files that are encrypted by this ransomware then the user could be in difficult circumstances if it were business related files, for example.”
While the campaign does not represent a new method of attack, it is gaining some traction, the researchers said. The uptick “could be due to Zepto trying out a new spam campaign to see how efficient it is as an attack vector for ransomware – generally speaking most ransomware is delivered via other vectors currently,” said Mercer.