Over the past week or so, a new distribution campaign for the Locky variant dubbed the Zepto Ransomware has been underway. Previously, the Zepto Ransomware installer was being distributed using zipped JS files. Now the installer are being sent as zipped WSF files in emails that pretend to be banking reports, invoices, or shipping information.

Email containing a Zepto Installer

WSF files, or Windows Script Files, are files that are executed by the Windows Script Host and can contain code using multiple languages in the same file. For example, a WSF file may contain both Jscript and VBScript code. Though the Zepto campaign is using WSF files, the attachments I have seen are still only using Jscript code to download and install the ransomware.

Once the ransomware has been installed, it will encrypt all of your data files and rename them so that the original name is no longer recognizable and to contain the .zepto extension. An example of an encrypted folder can be seen below.

Zepto Encrypted Folder

Unfortunately, at this time there is still no way to decrypt Zepto/Locky encrypted folder for free.