The Locky and Zepto Evolving Threats – Advanced Forms of Ransomware

Locky and Zepto, The Two Deadly Ransomware

Martin Beltov

Two of the most popular and devastating ransomware variants have emerged this year – Locky and Zepto, the notorious malware that have plagued computer users and business owners worldwide. Both threats are extremely dangerous and use all popular distribution methods. Fortunately, Zepto removal instructions have recently been released.

The situation with Locky is quite different – this ransomware has shown that it can evolve and change. In fact, cyber security experts no longer speak of Locky as a single type, but a whole family of related threats that are spread across the world. The most recent discovery is that Locky infects with DLL files now.  This feature is known to the expert community as “The Locky Trick” due to the fact that the ransomware hides its signature and makes it harder to detect for the anti virus and anti spyware software solutions.

Locky Troubles

Locky has grown to become one of the most popular and devastating ransomware strains in the last year. The threat was identified in February 2016 by the leading security vendors and experts and it has been used successfully against individual users, companies, and even government institutions. This malware uses a strong encryption method that renders all brute force decryption attempts useless.

Notable Locky targets so far include world-leading universities, major hospitals across all continents, government facilities and large corporations. Campaigns against individual users tend to be automated, while the most sophisticated attacks are set up against bigger targets.

The ransomware is spread mainly through spam email messages. Most of the analyzed campaigns so far indicate that all of them share the same content and structure. The Locky executable is sent either as an attachment or as a malicious message. Phishing attacks with the malware are becoming more common as the criminals utilize various social engineering schemes to fool the user into downloading and executing the file. The malicious attachments often contain infected Microsoft Office Documents (Word documents and Excel spreadsheets) that contain obfuscated Visual Basic Script Macros. When they are run by the user, the Locky infection is activated.

The mechanism of action follows this generic pattern:

  1. The Locky binary is copied to the %TEMP% location and renamed as exe, mimicking the Windows system process to avoid user detection. The file then removes several flags from its properties to bypass the “File Downloaded from the Internet” notification.
  2. The binary sets up other defense mechanisms such as renaming its binary files and supplements (depending on the strain).
  3. Registry entries are added to the victim host to restart the encryption process in case of a restart or shutdown of the computer.
  4. Locky deletes all local Volume Shadow Copies to prevent data restoration.
  5. The remote C&C servers are contacted and the infection is reported.
  6. The encryption process is started. A unique set of keys is used for each infected host. This means that manual decryption without the private key is impossible.

The Locky ransomware encrypts 164 of the most commonly used file extensions across 11 categories such as: Microsoft Office documents, media files, archives, image files and etc. The encrypted files are renamed with .locky extension and a ransomware note with the name “_Locky_recover_instructions.txt”  is created in every folder that contains an affected file. Ransom instructions are also generated in a BMP file that is set as the wallpaper. The ransomware works on all connected drives, including removable storage and RAM disks.

The ransom payment website is located in the TOR network and the criminals expect their fee paid in BitCoin. Depending on the strain and encrypted files, the decryptor may cost the user different amounts of money.The usual minimum, however, is at least 0.5 BitCoins.

Locky has spawned a whole family of related ransomware that are spread across the Web. Some of them use the malware’s name or add other letters or combinations. Security experts have even warned computer users that there are counterfeit Locky variants that impersonate its behavior.

Unfortunately, there is no public decryptor available for Locky. As the ransomware deletes the Shadow Volume Copies on the victim computer, a safe backup of all sensitive data is the only way to restore access to the user files at this moment.

Enter Zepto

Zepto is another popular ransomware that is actually a variant of Locky. Most of the Zepto attacks are carried out by spam emails containing the malicious binary. The malware itself is activated by a Javascript code that is placed inside the malicious executable. The encryption process is hidden from the users view. This is extremely dangerous as the ransomware does not provide any indication of its presence and the victims are alerted upon successful encryption.

Like Locky, Zepto also adds a registry entry to the Microsoft Windows systems to ensure that it will autorun upon system start. Zepto follows the behavior of Locky in terms of its infection encryption technique. The files are renamed using the .zepto file extension and like Locky, it deletes all Shadow Volume copies of the victim machine.

As Zepto is a variant of Locky and uses the same ciphers and techniques, there is no public decryptor available yet.

Major Zepto attacks were carried out against individual users and companies in June this year.

Locky and Zepto Are Part of Every Hacker Arsenal

The Locky and Zepto ransomware have spawned numerous discussions and analyses by both security vendors and their customers. Their popularity has urged the criminal developers to include them in exploit kits and add new features that add even more damage potential.

The newer Locky variants can infect users by DLL files, which makes it harder to detect by security software. Custom packers, layers of encryptions and other methods are also among the favorite mechanisms that malicious users utilize against the target victims.

Security researchers estimate that the total number of ransomware damages number 209 million US dollars in the first half of 2016. One of the leading causes of financial losses for many companies and organizations has been the cyber security issues, especially ransomware attacks. Many recent vulnerabilities also allow for malware such as Locky and Zepto to infiltrate target systems or even whole networks.

In August one of the biggest security breaches has occurred at Banner Health, a leading healthcare institution. 3.7 million customers were affected by the intrusion attack. The security analysis revealed that the majority of hospitals often don’t encrypt their sensitive data – patient files, clinical research, financial documents and other critical information.

Ransomware can produce collateral damage against the infected machines that include: modification of system configuration, permissions change, spying on users and even locking them out of their computers. As the ransomware distribution methods continue to expand, so are the dangers of contracting a new strain of Locky or Zepto.

Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion.



  1. It’s so depressing and sad to see ” there is no public decryptor available yet. “. One of my client got infected with the hideous Zepto and all we could do right now is to remove the virus and wait for the best for the decryptor. Hope it’s coming soon enough.

  2. The developers of Locky Ransomware virus has developed Zepto Ransomware. When any victim of this ransomware follow TOR gateway mentioned in _help-Instructions.html (Ransom Note released by Zepto) then they find Locky Decryptor Page. The authors behind this ransomware ask to pay 300 USD in bitcoins after file encryption on victims computer.


Please enter your comment!
Please enter your name here

Read More

Suggested Post