What the Malicious Email Looks Like
Here's a sample of one email in the campaign (with identifying information redacted):
Subject: [Vigor2820 Series] New voice mail message from xxxxxxxxxxx on 2016/08/23 15:55:20
Dear xxxxxx : There is a message for you from xxxxxxxxxxx, on 2016/08/23 15:55:20 . You might want to check it when you get a chance.Thanks!
To help you block it, here are some patterns we detected:
From: voicemail@<recipient domain>
Subject: [Vigor2820 Series] New voice mail message from <11 digits> on 2016/08/23 <spambot time>
Dear <recipient username> :
There is a message for you from <11 digits from subject>, on 2016/08/23 <spambot time> . You might want to check it when you get a chance.Thanks!
Attachment: Message_from_<11 digits from subject>.wav.zip contains <12 digits>.wsf
Tips on Blocking this Zepto Ransomware
Depending on the sophistication of your antispam system, you can block this Zepto Ransomware campaign several ways. That's usually a good idea, as multiple defenses can help you block future variations.
- Blacklist the Sending IP Address
- We're blocking the IPs that are sending out this campaign as they are almost surely being controlled by the spammers.
- Add Content Filters
- Adding a "content filter" to identify the attachment can help block it and future variants. We have several content filters in place just for this campaign.
- Add Phrase Filters
- We've also added a complex phrase filter that identifies the campaign based on the message itself. This is a good example of why long-phrase filtering is a good idea. You do NOT want to merely block anything that has "voice mail" in the subject or message, as that would produce many false positives. Our phrase filter lets us identify long phrases and variations on them that we know are only in spam like this.
- Use SPF Checking
- This campaign tries to look legitimate by spoofing the recipient's domain, so the email appears to come from
voicemail@<yourdomain>. To help prevent such "spoofing" you can establish SPF records to identify valid sending servers for your outgoing email and enable SPF checking in your antispam system. However, you might want to flag emails that fail SPF checking as suspicious (rather than block them outright) if some people in your company email from outside the office and you are not using a SaaS email system, because, for example, they might end up sending from their home IP address).
Traditional Antispam / AntiVirus Leaves You Vulnerable
Systems relying on traditional antivirus scanning and installed antispam systems would be highly vulnerable to this attack. According to VirusTotal, as of about noon today (ET), only only 5 out of 55 antivirus scanning engines were recognizing the attached WSF file as malicious, and only 9/56 were detecting this Zepto executable. That was hours after the outbreak. SaaS antispam with professional live threat analysis like SpamStopsHere provides far better threat protection.