Security researchers have identified a new variant of the Zepto ransomware that includes several new features and mechanisms.
Zepto Is Now Improved
Security experts have discovered a new Zepto variant that has appeared on the Internet. The improved code contains hardcoded RSA keys and does not contact the remote C&C servers for communication with the operators. As previous versions the ransomware encrypts the target victim files with the .zepto extension.
As the malware now carries its own keys it is able to function fully offline. This makes it suitable for various drop attacks where Internet access may not be available. The researches note that a private key is probably stored on the backend serveres that are owned by the operators, making the files decryptable. The code for contacting the remote servers has not been removed, but it is not executed at start time.
The other addition to Zepto is the use of file type “weigh” that is employed by the developers. Zepto now has a priority file list which sorts the order of the file encryption proccess. The table includes a total of 196 file extension types with weigh variable values from -1 to 7. The greatest priority is given to the wallet.dat file which indicates that the target host user has a working Bitcoin knowledge. This makes the ransom payment more likely.
The actual encryption process is the following:
1. The ransomware scans the connected drives in accordance with the file priority list. The paths of the files and directories is saved in a temporary file.
2. The list is sorted according to the predefined rules.
3. The target files are encrypted according to the ranks in the list.
The new variant uses the AES cipher with generated keys at random for each target file. The RSA cipher is used with the hardcoded public key mentioned earlier.
Each compromised file contains a header structure that contains specific values, User ID, encrypted AES key and data about the original file that contains the name and its attributes. This header is used to restore the original status upon decryption. Like other famous ransomware Zepto deletes the Volume Shadow Copies however it employs a different strategy by calling directly the vssapi.dll library.
So far no major infections with the new ransomware have been reported. The new code indicates that malware authors are actively adding features to their most dangerous tools of the trade. Security researchers have not yet managed to create a working solution that decrypts the Zepto encrypted files. All users are advised to protect themselves from the threat by following the well-known security tips – do not open unknown files and links and backup all sensitive data to secure locations.