{
	"id": "a348d197-5c20-4e40-963c-3a37b67fcac1",
	"created_at": "2026-04-06T00:15:45.893216Z",
	"updated_at": "2026-04-10T03:20:49.653704Z",
	"deleted_at": null,
	"sha1_hash": "f0db8343da2af2dc05de4ee4f63083d003f21416",
	"title": "New Locky variant - Zepto Ransomware Appears On The Scene",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2319222,
	"plain_text": "New Locky variant - Zepto Ransomware Appears On The Scene\r\nBy Pierluigi Paganini\r\nPublished: 2016-07-07 · Archived: 2026-04-05 19:01:24 UTC\r\nNew threat dubbed Zepto Ransomware is spreading out with a new email spam\r\ncampaign. It is a variant of the recent Locky Ransomware.\r\nThe news was recently reported in a blog post by the Cisco Talos team:\r\n“We are watching Zepto very carefully. It’s closely tied to Locky, sharing many of the same attributes,” said Craig\r\nWilliams, senior technical leader and global outreach manager at Cisco Talos.\r\n“There is still a lot to learn about Zepto. As far as we can tell, it’s either a new variant of Locky or an entirely new\r\nransomware with many copycat Locky features,” he said.\r\nIn the last week, experts observed more than 140,000 emails using a particular naming convention to deliver a\r\nmalicious attachment.\r\nThat email is generated by a template body text, where it fetches the header greeting randomly from an array\r\nfollowed by the [NAME] of the receiver.\r\nAs previous variants of the same malware family, the text of the email attempts to trick the victim to open the\r\nattachment.\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 1 of 10\n\nThe attachment is a .zip archive containing the hard-coded js downloader.\r\nThe naming conventions used to rename the js downloader have the following format “swift [XXX|XXXX].js”\r\nwhere X are some combination of letters (a-f) and numbers (0-9).\r\nOnce the js file is executed through wscript it downloads the main payload binary from the C2 Servers.\r\nMany of them have a list of hardcoded domains for download the binary, other variations use just a few domains.\r\nThat is done through HTTP GET requests to define C2 domains and the server functionalities are implemented in\r\nPHP.\r\nWe observed through dynamic analysis that it uses the same technique of Locky ransomware to decode the main\r\npayload, spawning the process through wScript with the argument ‘321’, otherwise, the decryption routine will\r\nproduce junk code and the execution flow will jump into that junk code and crash the process.\r\nThe encrypted files have the “.zepto” extensions and it targets the same extensions files of Locky taking care of\r\nthe system files, it uses a lot of code of Locky ransomware to implement its malicious behaviors.\r\nOne of the smartest features of the ransomware is the fact they do not encrypt all the files needed for the correct\r\nfunctioning of the OS, otherwise, how can the victims pay?\r\nOnce the encryption routine of all the files is over, it shows the instructions on how to get the files back:\r\none picture (_HELP_instructions.jpg) and one html page (_HELP_instructions.html) are prompted to the victim\r\nfor the explanation on how to unlock the files.\r\nFollowing an image of a machine infected by the Zepto Ransomware:\r\nCisco Talos researchers tracked all the attachment they found and on 137,731 spam emails and discovered\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 2 of 10\n\nthat there were 3,305 unique samples.They collected them here.\r\nOUR ANALYSIS\r\nOur main contribution will be to find the actual code that differs from the previous version of the Locky\r\nRansomware. We hope to help in detecting variation on some core features (as encryption routine, files\r\nenumeration, drive enumeration…), and to allow experts to distinguish the Locky ransomware family from the\r\nZepto ransomware family.\r\nWe will do this through bindiff software that let us to compare two binary files and calculate the differences, we\r\nwill use a Locky Ransomware sample with the following hash\r\nSHA256:e5a6828f732bea6b66c4f6d850b235f6c1f139b10f8d9f2c3760298cfd88c163.\r\nSo Cisco Talos researchers give us a good advice on where to start for this new variant, unfortunately, they didn’t\r\npublish some samples to use in our analysis so we found some way to get them.\r\nWe grabbed the most recent one in order to study the most recent variant.\r\nThe file name is “swift ca6.js”\r\nSHA256:068e08f01e117f66f607a27492a500cc7c3ffa91cac76dcebbe97667394a9cde.\r\nAs we can see, the file has the same name pattern discovered by Cisco Talos researchers.\r\nNow we will need to extract the main payload from the execution of the JavaScript file.\r\nWe will monitor our file system activities with procMon tools and we will take care on the dropped files of the\r\nmalicious js.\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 3 of 10\n\nIn the above image, we can see in (1) that the script creates the binary file and create a process launching it (2).\r\nWe found interesting that the js downloader calls the binary with an argument needed for decoding the main\r\npayload like the Locky ransomware and most weird is that it uses the same argument for the decryption routine:\r\nOnce identified the dir location of the ransomware payload we could identify him:\r\nSHA256:5bbc9afa3128956b3f6116037cc97d0ea1c79d8bb5d3e15473d1e9c5c8eecfdf\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 4 of 10\n\nThe only problem we face executing it is that the ransomware does not execute itself but it changes its behavior\r\nkilling its main thread and it auto-delete itself maybe because it detects the virtual environment.\r\nSo start to patch that binary in order to study our sample:\r\nWe open the executable with the Olly debugger with the argument 321 and starting analyzing the code searching\r\nfor some tricks used for vm detection.\r\nLooking at the list of the intermodular calls we investigated on the GetProcAddress syscall and we found\r\nsomething interesting:\r\nThis ransomware uses the RDTSC anti-vm technique:\r\n“The Time Stamp Counter (TSC) is a 64-bit register present on all x86 processors since the Pentium. It counts the\r\nnumber of cycles since reset”. (Wikipedia)\r\nIf the code is being emulated then, there will be a change in the time stamp between. The Result in stored in\r\nEDX:EAX format.\r\nNow the time difference in a real host machine would be usually less than 100, but if the code is emulated the\r\ndifference will be huge.\r\nFilling those instructions with NOP and patching the executable let us successfully launch the ransomware.\r\nNow we wait until it decodes itself and, when it will contact the domains to take the RSA key (it means it decoded\r\nitself and loaded in memory), we will suspend the process in order to dump it from the memory for our further\r\nanalysis.\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 5 of 10\n\nWe will use a useful tool for dump a process loaded into the memory: Process Dump.\r\nThe highlighted file will be our unpacked sample of Zepto Ransomware.\r\nNow we have our fresh and unpacked sample of Zepto Ransomware and we need to produce the .idb files of the\r\ntwo ransomware used for the comparison in the bindiff software, ida Pro will do this easily.\r\nSo let’s compare our two ransomware and look at the results:\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 6 of 10\n\nThe first result returned by the tool are pretty pie graphs where we have the numbers of Functions, Calls, Basic\r\nBlocks and Jumps.\r\nIn green there are the matched elements (included also the changed), in red we have the new Zepto ransomware\r\nelements that aren’t present in the Locky ransomware and in gray we have the Locky elements that aren’t present\r\nin Zepto Ransomware.\r\nOverall, the two binary have a similarity coefficient of 0.86 that is high for two different families of a\r\nransomware.\r\nAs we can see from the lower part of the image there is a table representing our results, the Zepto ransomware has\r\nmore functions, calls, basic blocks, jumps and instructions than locky ransomware.\r\nAnd interesting enough are the results shown in Secondary Call Graph window saying that the 99.9% on 821\r\nfunctions of locky ransomware are matched with the Zepto ransomware and 15 functions changed (1.8%),\r\nimpressive is that just 1 (0.1%) function unmatched.\r\nOn the left window, we can see that 149 functions are unmatched (15.4%), it means there are added functions to\r\nthe new version of that ransomware.\r\nIn the overall instructions of Locky ransomware (24,947) we have the 96.9% of identical codes and just 3.1% of\r\ndifferent instructions.\r\nHow much changed Zepto Ransomware and how many new features it has?\r\nWell, answering exactly can’t be that easy, but we can give you some good statistical numbers.\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 7 of 10\n\nWe can tell you that the Zepto ransomware has, of course, more overall instructions than locky ransomware, it has\r\n32,292 and over that there are 8,110 new instructions, so 25.1% new code.\r\nIt means that for sure that Zepto ransomware will have some new behavior than locky ransomware, but in most\r\naspects, it will act as locky ransomware, but also with little improvements it will still avoid the av engine.\r\nIt looks like the author of the ransomware take the previous code of the locky ransomware and added new features\r\nand changed some code to evade signature-based detection.\r\nLet’s investigate on some changed functions and try to extract some big difference.\r\nLooking at the list of the matched functions, we can easily identify the functions that changed for this new version\r\nof the ransomware thank at the similarity coefficient computed by bindiff tool:\r\nWe can realize from the above image that on the 820 matched functions, just 15 functions are changed, and 805\r\nfunctions are identical.\r\nIt means that 98.1% of the Locky ransomware functions are identical to the Zepto ransomware.\r\nFor that, we can confirm that the Zepto ransomware is just an extension of the Locky ransomware adding it new\r\nfeatures.\r\nAnalyzing the changed functions the most notable discover was on the encryption routine function used to encrypt\r\nthe files because it has the same CFG and changes are made just in adding the final extension of the files:\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 8 of 10\n\nThe Encryption routine implemented in the Zepto ransomware is similar to the Locky one.\r\nOn the left and right sides we can realize that the CFG graphs are identical if we look just at branching\r\ninstructions and calls, it changed just the instructions in the yellow basic blocks.\r\nIn fact, the report for that function say us exactly that:\r\nCONCLUSION\r\n“If Zepto sticks with this attack vector it may never become a serious threat. However, it’s very likely Zepto moves\r\ninto exploit kits as time goes on,” Williams said. “A move by Zepto to malvertising, for example, could get bad\r\nvery fast,” he said.\r\nWhat we can say is that Zepto Ransomware isn’t a new variant of the Locky Ransomware that uses some copycat,\r\nbecause there are too much identical code.\r\nIf an av engine tracked the main behaviors of Locky, ransomware as drive enumeration or encryption routine will\r\nstill spot this threat as a Locky ransomware because, as we saw, this new version of Locky doesn’t change the\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 9 of 10\n\ninner logic of the most crucial behaviors.\r\nWe can define Zepto ransomware as Locky Ransomware 2.0 and with a lot of probability, the authors of that new\r\nvariant are the same behind Locky Ransomware.\r\nREFERENCES\r\nhttp://securityaffairs.co/wordpress/48725/malware/locky-ransomware-back.html\r\nhttp://www.iswatlab.eu/wp-content/uploads/2015/09/Technical_Report_Ransomware.pdf\r\nhttp://blog.talosintel.com/2016/06/gotta-be-swift-for-this-spam-campaign.html\r\nhttps://threatpost.com/locky-variant-zepto-debuts-with-big-spam-push/119017/\r\nhttp://resources.infosecinstitute.com/anti-debugging-and-anti-vm-techniques-and-anti-emulation/\r\nWritten by the IT Security Expert Antonio Cocomazzi\r\nAntonio Cocomazzi is an IT Security Expert specialized in the malware analysis field. Young and recently\r\ngraduated, he conducts a 6 months research focused on Ransomware giving a full characterization of the recent\r\nfamilies defining a new methodology for dissecting this kind of malware.\r\n[adrotate banner=”9″]\r\nEdited by Pierluigi Paganini\r\n(Security Affairs – Locky Ransomware, Zepto ransomware)\r\nSource: http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nhttp://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html"
	],
	"report_names": [
		"zepto-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0db8343da2af2dc05de4ee4f63083d003f21416.pdf",
		"text": "https://archive.orkl.eu/f0db8343da2af2dc05de4ee4f63083d003f21416.txt",
		"img": "https://archive.orkl.eu/f0db8343da2af2dc05de4ee4f63083d003f21416.jpg"
	}
}