Looks Like Previous Campaigns
This week's Locky / Zepto campaign looks, at least on the surface, much like previous ones we've blocked for our customers and blogged about. It's a new combination of subject, message, attachment type, file naming. etc. Here's a partially-redacted example:
- [Vigor2820 Series] New voice mail message from xxxxxxxxxxx on 2016/09/08 18:50:39
- Message Body
- Dear support : There is a message for you from xxxxxxxxxxx, on 2016/09/08 18:50:39 . You might want to check it when you get a chance.Thanks!
Obviously, the attachment is not a zipped WAV (audio) file. It is a zipped Windows Script File (WSF) that downloads a DLL which, in turn, runs the Zepto / Locky executable and encrypts files on your system, possibly others on your network.
"xxxxxxxxxxx" is a series of random characters that changes with each email.
No Command & Control Server
What's different about this Locky / Zepto variant is that it no longer needs to communicate with a Command & Control (C&C) server to start the encryption process. It's all done on your local machine, so you can’t defeat it by using your firewall to block communication with known C&C servers.
Instead, the executable generates a random AES key that encrypts your files and an RSA key embedded in the executable encrypts that AES key.
The server that receives your ransom payment supposedly has the matching RSA key that decrypts your unique AES key so you can recover your files.
Don't Whitelist Your Own Domain
Note the envelope FROM address uses the recipient's email domain. This is another example of why it is dangerous to whitelist entire domains, especially your own. Spammers know that's a common practice and take advantage of it. If the recipient had whitelisted their own domain, this dangerous email would have bypassed spam filtering entirely and been delivered.
For more on that topic, see our blog about Whitelisting Dangers