Zepto ransomware is a fairly new strain of malware, that of late has undergone a notable spike in malicious activities. Security researchers note that the ransomware spam campaign, which has several similarities to Locky, has surged, distributing over 130,000 spam emails with malicious attachments in a little under four days.

Researchers at security firm Cisco Talos observed that the ransomware spam campaign began using a new naming convention ("swift [XXX|XXXX].js") on 27 June. Researchers also uncovered 3,305 unique javascript samples following the new naming convention, which used a compressed .zip file. Around 4,000 emails were detected by the firm, which then began escalating over the coming few days.

Cisco Talos security researcher Warren Mercer said in a company blog: "The body of the emails were generally urging the user to look at their "requested" documentation. The name of the attached .zip file is created by combining the username in the 'To' email address header, an underscore, plus a random number."

Researchers also pointed out the email body had been designed specifically to include common salutations like "Dear" and "Hello". However the body of the emails underwent a few customised changes through the timeline of the attacks and varied between using subject headers like "report", "new invoice", "financial report", "documents copy" and others.

Locky variant Zepto ransomware spam campaign surges with over 137,000 emails in just 4 days
Zepto ransomware also shares several technical similarities with the Locky ransomware iStock

Zepto ransomware also shares several technical similarities with the Locky ransomware, both of whom use similar RSA encryption keys, use the same types of files to infect systems and also have similarities in the ransom text delivered to victims.

Mercer told SCMagazine that the ransomware "specifically attempts to hold the end user at ransom for payment in Bitcoin" and can be considered "a serious threat as there is no viable method of decrypting the information."

Cisco Talos predicted, "The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier. The breaches which occur include email data which is actively sold to bidders on the underground for this type of campaign." The firm also advised users to proceed with caution when dealing with email attachments so as to avoid falling victim to such spam campaigns.