Security researchers have raised concerns that attackers are gearing up for a massive Locky-related ransomware campaign

Ransomware that locks up business critical data and demands payment to release it continues to increase in popularity with cyber criminals, and a fresh campaign is underway, warn researchers.

There has been a huge increase in the number of spam messages designed to infect unwary recipients’ computers with the Zepto ransomware, according to Cisco’s Talos security intelligence and research group.

Zepto is a variant of Locky, which was one of the most widespread ransomware attacks in the first quarter of 2016, affecting organisations in 114 countries.

Security researchers are keeping a close watch on Zepto and trying to find out as much as they can because of its close ties with Locky, its professional build and the fact that there is still no known method of decrypting the information.

Talos reseachers are particularly concerned that Zepto will move into exploit kits and that attackers will move on from spam to other distribution methods, such as malvertising, according to ThreatPost.

Zepto shares several technical similarities with Locky, including the use of similar RSA encryption keys and file types to infect systems.

In May 2016, security researchers at Kasperky Lab and FireEye identified ransomware as the top threat to business. In April 2016, Eset reported that ransomware accounted for around a quarter of cyber threats targeting internet users in the UK.

Talos researchers report that a fresh Zepto spam campaign started on 27 June 2016, with 137,731 spam messages carrying the ransomware recorded in the first four days.

All use a compressed .zip archive which included a malicious javascript file used to infect the recipients computer with the Zepto ransomware. All the javascript files name start with “swift” and are followed by a set of hexadecimal characters.

The spam messages use various subject lines, such as “document copies”, and various sender profiles, such as “CEO”, to encourage recipients to open the message and execute the malicious javascript.

The body of the emails generally urge the recipient to look at their “requested” documentation, while the name of the attached .zip file is created by combining the recipient’s name and a random number such as pdf_copy-peter_461397.

The malicious javascript uses ‘wscript.exe’ to launch HTTP GET requests to the defined command and control (C&C) domains, with some samples initiating connectivity to a single domain, while others connected to up to nine domains.

Once the binary is downloaded and executed, the machine begins a process of encrypting the local files and then demands ransom in Bitcoin to decrypt the files.

----------------------------------------------------------------------------------------------

From Jude Daigle.

We are receiving calls almost daily from customers getting hit with ransomware!

It is not about IF you will get hit with this It's WHEN, and will you be prepared or will your organization be CRIPPLED.

This is not just about having Anti Virus installed this is Ransomware and you may pay $500 or more just to release your files!

Are you prepared?

If you are not sure call Jude or Bob 724-838-7526 or email me at jdaigle@paconnect.com