Trend Micro - Securing Your Journey to the Cloud Business
Support
Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Emerging Threat on RANSOM_LOCKY / ZEPTO

    • Updated:
    • 27 Jul 2018
    • Product/Version:
    • OfficeScan 11.0
    • OfficeScan 10.6
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Hosted Email Security 2.0
    • Deep Security 8.0
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • Deep Security 10.0
    • ScanMail for Lotus Domino 5.0 AIX
    • ScanMail for Lotus Domino 5.0 zLinux
    • ScanMail for Lotus Domino 5.0 Windows
    • ScanMail for Exchange 8.0 2000/2003/2007
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 5.6
    • Deep Discovery Analyzer 5.5
    • Deep Discovery Email Inspector 2.5
    • OfficeScan XG.All
    • Trend Micro Email Security 1.0
    • Platform:
    • N/A N/A
Summary

Ransom_LOCKY usually arrives via social engineered spam mails to trick users into clicking the attachment.

No exploit was used in the spam.  The user has to click the attachment to initiate the infection chain; which has been observed to contain a DOC file that has a macro code that drops a BAT file when executed. The BAT files also drops a VBS file which downloads this ransomware.

It deletes shadow copies by running vssadmin.exe and adds a run key entry to enable its execution at every system start-up.  The run key entry enables the ransomware to continue encrypting files even if interrupted during the previous execution.

The dropped copy, once executed, attempts to retrieve a unique ID, public key and ransom note from the registry. If it fails to retrieve information from the registry, it contacts its C&C server to obtain this specific information and saves it to the registry.

The public key is used for its RSA encryption algorithm.

ZEPTO is known to share technical similarities with LOCKY, especially with spam email-based distribution methods to the use of RSA encryption keys for locking certain file types.

Since LOCKY’s discovery in February 2016, it has continued to evolve and successfully target both individuals and businesses, and has been used in a number of high-profile ransomware attacks on healthcare facilities. 

After a binary is downloaded and executed, local files are encrypted and the malware displays a message for the victim demanding payment in Bitcoin. The user receives instruction screens in an .HTML file dropped by the malware, an image file, and a background/wallpaper change. ZEPTO appears to be gaining some traction due to its efficient attack vector—a widespread spam campaign, whereas most ransomware is delivered via other vectors.

Locky Zepto Infection Chain

Click image to enlarge.

Antispam Pattern

LAYERDETAILPATTERN VERSIONRelease Date
DYNAMICSpam Mail with attached documentAS 21462/21/2016

VSAPI Pattern (Malicious File Detection)

LAYERDETECTIONPATTERN VERSIONRelease Date
INFECTIONHB_LOCKYJENT 12.393.003/9/2016
INFECTIONHB_LOCKYMENT 12.407.003/15/2016
INFECTIONRansom_LOCKY.SMENT 12.359.0002/24/16
INFECTIONRansom_LOCKY.SM0ENT 12.359.002/24/2016
INFECTIONRansom_LOCKY.SM1ENT 12.361.0002/25/16
INFECTIONRansom_LOCKY.SM2ENT 12.361.0002/25/16
INFECTIONW2KM_LOCKY.AENT 12.349.0002/17/16
INFECTIONX2KM_LOCKY.AENT 12.351.0002/18/16
INFECTIONJS_LOCKY.AENT 12.353.0002/18/16
INFECTIONRANSOM_LOCKY.DLDSWENT 12.637.007/8/2016

WRS Pattern (Malicious URL and Classification)

LAYERURLCATEGORYBlocking Date
INFECTIONecoledecorroy{blocked}.be/1/1.exeVirus Accomplice2/19/2016
INFECTIONratgeber-beziehung{blocked}.de/5/5.exeVirus Accomplice2/19/2016
INFECTIONluigicalabrese{blocked}.it/7/7.exeVirus Accomplice2/19/2016
INFECTIONanimar{blocked}.net.pl/3/3.exeVirus Accomplice2/19/2016
CLEAN-UPsso{blocked}.anbtr.com/domain/kqlxtqptsmys.inRansomware2/20/2016
CLEAN-UPxsso{blocked}.kqlxtqptsmys.in/c43344d5351f579349b5f90e1a038859Ransomware2/20/2016
CLEAN-UPpvwinlrmwvccuo{blocked}.eu/main.phpRansomware2/19/2016
CLEAN-UPwblejsfob{blocked}.pwRansomware2/20/2016
CLEAN-UPkqlxtqptsmys{blocked}.inRansomware2/20/2016
CLEAN-UPxsso{blocked}.kqlxtqptsmys.inRansomware2/20/2016
CLEAN-UPcgavqeodnop{blocked}.itRansomware2/20/2016
CLEAN-UPpvwinlrmwvccuo{blocked}.euRansomware2/20/2016
CLEAN-UPkvm17915{blocked}.hv9.ruRansomware2/20/2016
CLEAN-UPkqlxtqptsmys{blocked}.in/main.phpRansomware2/20/2016
CLEAN-UPmondero{blocked}.ru/system/logs/56y4g45gh45hDisease Vector2/19/2016
CLEAN-UPpvwinlrmwvccuo{blocked}.eu/main.phpRansomware2/20/2016
CLEAN-UPtcpos.com{blocked}.vn/system/logs/56y4g45gh45hRansomware2/20/2016
CLEAN-UPwww{blocked}.bag-online.com/system/logs/56y4g45gh45hRansomware2/20/2016
CLEAN-UP31{blocked}.41.47.37/main.phpRansomware2/20/2016
CLEAN-UP188{blocked}.138.88.184/main.phpRansomware2/20/2016
CLEAN-UP95{blocked}181.171.58C&C server2/19/2016
CLEAN-UP185{blocked}.14.30.97C&C server2/27/2016
CLEAN-UP109{blocked}.234.38.35Disease Vector2/19/2016

AEGIS Pattern (Behavior Monitoring Pattern)

LAYERDETECTIONPATTERN VERSIONRelease Date
DYNAMIC1981TTMTD 15263/23/2016
DYNAMIC1981FTMTD 15294/5/2016
DYNAMIC1980TTMTD 15263/23/2016
DYNAMIC1980FTMTD 15294/5/2016
DYNAMIC1856TOPR 148310/6/2015
DYNAMICRAN2013TOPR 15657/21/2016
DYNAMICRAN4705TOPR 15819/1/2016

DCT Pattern (System Clean Pattern)

LAYERDETECTIONPATTERN VERSIONRelease Date
CLEANUPTSC_GENCLEANLatest DCT OPRBUILT-IN

Network Pattern

LAYERDETECTIONPATTERN VERSIONRelease Date
CLEANUPHTTP_RANSOM_LOCKY_REQUESTRR 1.10151.003/15/2016
 
Make sure to always use the latest pattern available to detect the old and new variants of Ransom_LOCKY / ZEPTO.
Details
Public

Solution Map - What should customers do?

Major ProductsVersionsVirus PatternBehavior MonitoringWeb ReputationDCT PatternAntispam PatternNetwork Pattern
OfficeScan11 SP1 above










Update Pattern via web console

Turn On Ransomware Protection Feature/Update Pattern via Web console








Enable Web Reputation Service*




Update Pattern via Web console




Not Applicable




Update Pattern via Web console

10.6 and aboveUpdate Pattern via web console
Worry Free Business Suite9 SP1 aboveTurn On Ransomware Protection Feature/Update Pattern via Web console
8 and above
Update Pattern via web console

Update Pattern via web console

Hosted Email Security
Deep Security8.0 and above






Not Applicable		Update Pattern via web console
Not Applicable		Update Pattern via Web console
ScanMailSMEX 10 and later




Not Applicable

Update Pattern via Web console



Not Applicable
SMD 5 and later
InterScan MessagingIMSVA 8.0 and above
InterScan WebIWSVA 6.0 and later
Deep DiscoveryDDI 3.0 and later
Not Applicable		Update Pattern via web console
DDAN
DDEI
 
* Refer to the Product Administrator’s Guide on how to enable the Email Reputation or Web Reputation services features.

Recommendations

Threat Report

Blog

Premium
Internal
Rating:
Category:
Update; SPEC
Solution Id:
1115294
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.