This ransomware is distributed via scam emails with an attached malicious ZIP archive and docm file.

The below showing the ransom note of zepto ransomware - _HELP_instructions.html.

This kind of ransomware will rename the file as follows: eight hexadecimal symbols-four hexadecimal symbols-four hexadecimal symbols-four hexadecimal symbols-twelve hexadecimal symbols.zepto. The below showing how the files are renamed accordingly.

The zepto ransomware uses MoveFileExW API function to rename files and append above described pattern. Another feature of this kind of ransomware is it will delete Volume Shadow Copy Service by directly invoking the API calls from vssapi.dll library. Moreover it uses weight based priority file list for encryption process. The weight table comprises

of 196 types of extensions with weight index ranging from 7 to -1. The more priority is given to “wallet.dat” file, which indicates user owns a virtual wallet and more likely to pay bitcoins. The below showing the priority list of files.

The process of infection can be summarized as

1. The ransomware scans the entire disk with a priority list as shown above. The weight of the files are saved to another list and encrypts smaller files with same effort.
2. The saved list of files are sorted like laergest weight is shown on the top.
3. Then files are encrypted according to the rank list.