Ransom_LOCKY usually arrives via social engineered spam mails to trick users into clicking the attachment.

No exploit was used in the spam.  The user has to click the attachment to initiate the infection chain; which has been observed to contain a DOC file that has a macro code that drops a BAT file when executed. The BAT files also drops a VBS file which downloads this ransomware.

It deletes shadow copies by running vssadmin.exe and adds a run key entry to enable its execution at every system start-up.  The run key entry enables the ransomware to continue encrypting files even if interrupted during the previous execution.

The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from the registry. If it fails to retrieve information from the registry, it contacts its C&C server to obtain this specific information and saves it to the registry.

The public key is used for its RSA encryption algorithm.

ZEPTO is known to share technical similarities with LOCKY, especially with spam email-based distribution methods to the use of RSA encryption keys for locking certain file types.

Since LOCKY’s discovery in February 2016, it has continued to evolve and successfully target both individuals and businesses, and has been used in a number of high-profile ransomware attacks on healthcare facilities. 

After a binary is downloaded and executed, local files are encrypted and the malware displays a message for the victim demanding payment in Bitcoin. The user receives instruction screens in an .HTML file dropped by the malware, an image file, and a background/wallpaper change. ZEPTO appears to be gaining some traction due to its efficient attack vector—a widespread spam campaign, whereas most ransomware is delivered via other vectors.

Click image to enlarge.

Antispam Pattern

VSAPI Pattern (Malicious File Detection)

WRS Pattern (Malicious URL and Classification)

AEGIS Pattern (Behavior Monitoring Pattern)

DCT Pattern (System Clean Pattern)

Network Pattern