Enter yourIt has been a month since a tangible decline in the spreading of the Locky ransomware occurred. Back then, experts discovered that a supporting botnet stopped functioning, which explains why the number of infection incidents dropped dramatically. The comeback of both the botnet and the crypto malware in question, therefore, isn't accidental. The new iteration reportedly uses the same data encryption technique but differs from the forerunner in several ways.
First off, the ransomware now appends the .zepto extension to files instead of the previous .locky one. Secondly, the names of files holding the ransom instructions have altered, with the _HELP_instructions.html and _HELP_instructions.bmp combo being dropped on victims' machines. The format of tweaked filenames proper underwent a modification as well. While the preceding variant replaced the names with uninterrupted strings consisting of victim ID and 16 hexadecimal characters, the new one uses five blocks of symbols separated by hyphens.
The distribution of the Zepto version rests upon large volumes of spam. By leveraging the automated botnet, the ransomware operators are able to generate thousands of contagious messages sent to potential victims around the globe. These are emails pretending to be tax reports, invoices or CVs. The attached ZIP or Microsoft Office files are programmed to execute Zepto as soon as the users open them.
The infection encourages victims to visit the Locky Decrypter Page, which contains tips on how to purchase Bitcoins and a Bitcoin address to send the ransom of 0.5 BTC. After the payment has been confirmed, the service will allegedly provide a link to download the decrypt solution. Just like in the average ransomware breach scenario, paying up is the last resort. Before doing so, users should try to recover their data using an alternative methodology based on forensic tools and the built-in Windows backup features.