|Encryption Type||AES -128,RSA -2048|
|Short Description||Zepto ransomware is a new variant of locky ransomware, distributed using zipped Java Script files.|
|Symptoms||Once the victim is infected it will appends .zepto extension to each file|
This ransomware is distributed via scam emails with an attached malicious ZIP archive and docm file.
The below showing the ransom note of zepto ransomware - _HELP_instructions.html.
This kind of ransomware will rename the file as follows: eight hexadecimal symbols-four hexadecimal symbols-four hexadecimal symbols-four hexadecimal symbols-twelve hexadecimal symbols.zepto. The below showing how the files are renamed accordingly.
The zepto ransomware uses MoveFileExW API function to rename files and append above described pattern. Another feature of this kind of ransomware is it will delete Volume Shadow Copy Service by directly invoking the API calls from vssapi.dll library. Moreover it uses weight based priority file list for encryption process. The weight table comprises
of 196 types of extensions with weight index ranging from 7 to -1. The more priority is given to “wallet.dat” file, which indicates user owns a virtual wallet and more likely to pay bitcoins. The below showing the priority list of files.
The process of infection can be summarized as