The Zepto server-side ransomware encrypts the victim’s files and then demands a ransom paid in Bitcoin to decrypt these files.
- The malicious script file is delivered via some vector.
- The victim executes the malicious script.
- The malicious script downloads the server-side ransomware executable.
- The malicious executable encrypts files, beacons to the CnC servers, and displays the demand note.
The primary infection method for the Zepto server-side ransomware has been via email messages with malicious scripts attached. The script file does the downloading of the malware’s executable file, installs it on the victim’s computer, scans for files on the system, and encrypts them. Other methods of distribution include email delivery of WSF, JS, and DLL files. These delivery mechanisms are an attempt to obfuscate the true nature of the files.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are seen.
Recommendations for Mitigation
Upon discovery of this malware, customers are advised to perform the following actions:
- Visually check to see if the desktop background has been changed to a demand note.
- At times, the malware may fail to delete the volume shadow copy. Additionally, the files may not have been encrypted, simply renamed. Review the files on the host to see if this is what has taken place.
- Determine if the most recent backups have been unaffected and could be used to restore the system.
- An application such as shadow explorer may be used to explore and possibly restore files from the Windows Volume Shadow Copy.
- Restore the host from the last known good backup and install all security patches and an up-to-date antivirus.
- Configure the Software Restriction Policy in the Windows Local Security Policy or in Group Policy to restrict files from executing in C:\Users\<user>\AppData\Local\Temp\<*.exe>, %Temp%, and C:\Windows. Most server-side ransomware attacks attempt to install from these locations.
- If possible, block executable files and scripts from running locally on the host.
- Do not allow Microsoft Office to run macros.