New “.zepto” encryption is on the loose

The cybercriminals came up with encryption – “.zepto”

The return of Locky ransomware back on the stage is definitely bad news for everyone in the security industry as well as many users all around the world. After the mysterious disappearing of the Necurs botnet for nearly a month, now Locky is spreading again with an even more extensive campaign. This time, the notorious ransomware comes armed up with a couple of updates and a new malicious “.zepto” encryption.

Necurs Botnet is at it again – spreads a new Locky Campaign!

Zepto infects Windows computers through spam emails with attachments masked as JavaScript files, which in fact carry a contagious loader. The distribution scheme uses the same old and lucrative tactic as before. The cybercrooks rely on the victims’ curiosity by sending them a catchy email that encourages them to open the malicious attachment. A single click is enough to activate the malware and encrypt the victim’s files with the .zepto encryption.


The hackers have made this ransomware so stealthy that no symptoms could be detected until the encryption is completed. The malicious script silently infiltrates all personal files on the local drives, removable drives and even mapped networks. Once the scanning is completed, .Zepto version applies an AES-128 cipher to encrypt all selected files, and then another asymmetric RSA-2048 cryptosystem to encode the decryption key. All encrypted files’ extensions are changed to “.zepto”.

.zepto File Virus Removal

To make sure victims can see the ransom note, the .Zepto ransomware changes even the Windows desktop image to “_HELP_instructions.bmp” and additionally creates a file named _HELP_instructions.html in every encrypted folder. The ransom note contains information about the victim’s personal identification ID as well as several Tor links and instructions on how the victim could obtain the secret decryption key.

The following warning message appears on the note:

“All of your files are encrypted with RSA-2048 and AES-128 ciphers”. The perpetrators go on to say “Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server”.

The ransom that this cryptovirus demands is in the amount of 0.5 Bitcoins, which is about 300 USD. However, a bigger ransom could be demanded in case a large enterprise falls victim to this ransomware, which is very likely.

It appears that after its comeback, Locky is again on top with new and more sophisticated malicious tools. According to security researchers, this new attack is probably just the beginning of a series of malware campaigns. Unfortunately, at this moment, there is no decryptor that could break the “.zepto” encryption algorithm. However, in case you have fallen a victim to this nasty ransomware, here  are some recovery techniques that can be of help.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment