Fake Voice Mail Attachment Runs Zepto Locky Ransomware

We're blocking a "Zepto" ransomware campaign that tries to fool the recipient into thinking there's a voice mail in a zipped WAV file attached to the email. Do NOT click on or open the attachment. It's a WSF (Windows Script File) that will download and execute an encrypted EXE file, which will infect your computer with Zepto, a variant of Locky ransomware.

What the Malicious Email Looks Like

Here's a sample of one email in the campaign (with identifying information redacted):

Subject: [Vigor2820 Series] New voice mail message from xxxxxxxxxxx on 2016/08/23 15:55:20

Dear xxxxxx : There is a message for you from xxxxxxxxxxx, on 2016/08/23 15:55:20 . You might want to check it when you get a chance.Thanks!

To help you block it, here are some patterns we detected:

From: voicemail@<recipient domain>

Subject: [Vigor2820 Series] New voice mail message from <11 digits> on 2016/08/23 <spambot time>



Dear <recipient username> :

There is a message for you from <11 digits from subject>, on 2016/08/23 <spambot time> . You might want to check it when you get a chance.Thanks!


Attachment: Message_from_<11 digits from subject>.wav.zip contains <12 digits>.wsf

Tips on Blocking this Zepto Ransomware

Depending on the sophistication of your antispam system, you can block this Zepto Ransomware campaign several ways. That's usually a good idea, as multiple defenses can help you block future variations.

Blacklist the Sending IP Address
We're blocking the IPs that are sending out this campaign as they are almost surely being controlled by the spammers.
Add Content Filters
Adding a "content filter" to identify the attachment can help block it and future variants. We have several content filters in place just for this campaign.
Add Phrase Filters
We've also added a complex phrase filter that identifies the campaign based on the message itself. This is a good example of why long-phrase filtering is a good idea. You do NOT want to merely block anything that has "voice mail" in the subject or message, as that would produce many false positives. Our phrase filter lets us identify long phrases and variations on them that we know are only in spam like this.
Use SPF Checking
This campaign tries to look legitimate by spoofing the recipient's domain, so the email appears to come from voicemail@<yourdomain>. To help prevent such "spoofing" you can establish SPF records to identify valid sending servers for your outgoing email and enable SPF checking in your antispam system. However, you might want to flag emails that fail SPF checking as suspicious (rather than block them outright) if some people in your company email from outside the office and you are not using a SaaS email system, because, for example, they might end up sending from their home IP address).
This is also a great example of why you should never whitelist your own domain. Dangerous campaigns like it would bypass spam filtering entirely.

Traditional Antispam / AntiVirus Leaves You Vulnerable

Systems relying on traditional antivirus scanning and installed antispam systems would be highly vulnerable to this attack. According to VirusTotal, as of about noon today (ET), only only 5 out of 55 antivirus scanning engines were recognizing the attached WSF file as malicious, and only 9/56 were detecting this Zepto executable. That was hours after the outbreak. SaaS antispam with professional live threat analysis like SpamStopsHere provides far better threat protection.