The body of the emails were generally urging the user to look at their "requested" documentation. The name of the attached .zip file is created by combining the username in the 'To' email address header, an underscore, plus a random number:
Fig3. Subject BreakdownWhen run in a sandbox Zepto exhibits a number of questionable behaviors that quickly leads to its conviction as malware.
Video1. Zepto Infection
Once the binary is downloaded and executed the machine begins a process of encrypting the local files and then demands ransom from the user to decrypt the files. The user will be presented with the following "_HELP_instructions" screens, both from Internet Explorer for the .HTML file dropped by the malware, an image file presented with Windows Picture & Fax Viewer and also a background/wallpaper change to highlight you have been encrypted using this piece of malware.
Fig6. Compromised victim view
ConclusionThis is not a new method of attack, however, it is one which is gaining ground. The phishing/spam campaigns now generally carry a large risk of associated ransomware and this is no different. The ability to withhold files from users is, unfortunately, becoming very normal with attacks that people are faced with everyday. Our adversaries do not care as to what they destroy or ransom from you, they simply care about their endgames, payment. The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign. Ensuring users are careful with email attachments, like the ones used in this campaign, will help in an attempt to null the effects of this and further spam campaigns. Talos recommend you ensure you have a good backup strategy should you be hit with ransomware and we strongly advise that payment is never made to these actors.
IOCsA list of all hashes is included in zepto_hash_IOCs.txt
CoverageAdditional ways our customers can detect and block this threat are listed below.
AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
ESA can block malicious emails sent by threat actors as part of their campaign.