What is Zepto ransomware?

Zepto ransomware is nearly identical to Locky ransomware. To execute cyber security threats, Zepto ransomware operators rely on a combination of social engineering and phishing techniques. Originally observed in 2016, the Zepto ransomware operators have since evolved their tools and techniques.

Why it matters

From a business perspective, these ransomware operators ultimately aim to sell businesses their decryption tools. The hackers encrypt the computers, and they try to sell you tools for decryption.

However, experts assert that decryption isn’t a given. The ransomware operators may accept payments without actually providing promised decryption tools.

Technical details

Cyber adversaries push Zepto ransomware to users by sending malicious Zip archives and .docm files attached to spam emails. Zip archives include a Javascript file that looks similar to a regular text-based document. Upon executing, the ransomware downloads as a Windows executable (.exe) and runs on the machine. However, it only works if a victim’s macros within MS Word are enabled.

How it works

After gaining access to a system, Zepto uses asymmetric cryptography to encrypt files. Files are renamed in the following format: “[8_digit_hexadecimal_number]- [4_digit_hexadecimal_number]-[4_digit_hexadecimal_number]-[4_digit_hexadecimal_number]-[12_digit_hexadecimal_number].zepto”. For instance, “example.jpg” might be renamed as “GR3D5870-2AT9-1DDG-7Q9B-D5F29B67299P.zepto”

Upon effective encryption, Zepto produces a PMP file and an HTML file, which contain identical information informing users of encryption.

Zepto relies on an asymmetric encryption algorithm and consequently, both public encryption and private decryption keys created during the encryption lifecycle. The private key ‘lives’ on remote servers accessible to cyber criminals. Entities cannot decrypt without this key. Knowing this, cyber criminals may attempt to sell a decryption tool with an embedded private key. Removal of Zepto ransomware is colloquially described as “not too complicated,” comparatively.

What else

Zepto ransomware not only shares similarities with Locky. Hundreds of other ransomware-type computer infections manifest with similar characteristics. Examples include Cerber, CryptoWall and CTB-Locker. The distinctive element amidst these assorted viruses is the dollar amount requested in ransom payment.

Threat prevention and Zepto

Zepto ransomware operators ask for payments in Bitcoin. The operators send payment instructions via a Tor network URL. The URL directs users to a site identical to Locky’s. Despite ransom payments, research shows that most cyber criminals ignore victims.

Payment delivered to the Zepto ransomware operators may not result in restoration of files. Rather, organizations should ensure that they maintain a strong system and file backup system, and should attempt to restore from backups. At present, no tools exist to decrypt files compromised by Zepto.


Zepto highlights the importance of pursuing a multi-layered approach to cyber security. The authors use social engineering tactics, underscoring the need for employee cyber security education and awareness. At the same time, the email-based threat emphasizes the need for strong email security solutions. And again, ransomware threats, in general, highlight the need for a robust data backup system.

For more information about winning the fight against ransomware, see this CyberTalk.org article. Lastly, please join us for the premiere cyber security event of the year, CPX 360 2022. Register here.