back to article Klepto Zepto could steal millions in looming ransomware wave

A dangerous new ransomware variant based on the Locky ransomware has security experts worried. The Zepto malware has been carried in nearly 140,000 spam messages sent over four days last week. The ransomware appears to have Locky's capabilities which could make it one of the more dangerous encryption lockers in circulation. …

  1. Pascal Monett Silver badge
    Facepalm

    "look at their 'requested' documentation"

    I just cannot understand why people open such mail. It is almost as if whatever the computer screen tells them to do becomes compulsory.

    Engage brain, people ! If you haven't asked for anything, it's a trap. If you have asked for something but the mail doesn't come from the entity you asked to, it's a trap. If it says Microsoft needs some information from you but the email comes from Gmail, it's a trap.

    Basically put : if it comes from someone you don't know, it's a trap. If it comes from someone you do know, it could still be a trap.

    This is going to get uglier before it gets better.

    1. Anonymous Coward
      Anonymous Coward

      Re: "look at their 'requested' documentation"

      While I agree with you, a lot of people treat computers like a fridge, don't know or care how it works.

      Its a throwaway thing and they rely on the provider (hardware/software/isp) to protect them.

      Its all about education, rtfm but most users I suggest cannot be bothered.

      The internet miscreants know this.

      As an aside, it would have been useful for ElReg to identify the OS's affected.

      1. TwistUrCapBack

        Re: "look at their 'requested' documentation"

        "identify the OS's affected."

        Have a guess !!

      2. James O'Shea Silver badge

        Re: "look at their 'requested' documentation"

        "As an aside, it would have been useful for ElReg to identify the OS's affected."

        From the vid, it appears to work quite well on machines running WinXP. (Hint: 'C:\Documents and Settings')

    2. Baldy50

      Re: "look at their 'requested' documentation"

      Sand boxing! As only permissions necessary are given to the program or script running?

      Compulsory on all office machines etc...

      A problem with someone getting an email with something funny, interesting or with regards to an important part of their life is usually forwarded, yes?

      The way forward is more hardened browsers with the ability to scan any attached document, pictures, whatever.

      AV scanner built in to your browser?

      1. Charles 9 Silver badge

        Re: "look at their 'requested' documentation"

        Build a sandbox, someone builds a breakout exploit. Use least privilege, someone finds a way to escalate the privilege by exploiting something that routinely uses the high privilege.

      2. Charles 9 Silver badge

        Re: "look at their 'requested' documentation"

        As for inserting a scanner into the browser, what's to stop someone finding an exploit in IT? Who watches the watchers and all that?

    3. a_yank_lurker Silver badge

      Re: "look at their 'requested' documentation"

      Part of the problem is one will get valid emails with valid, unexpected attachments (say a screenshot) often enough that verifying each attachment will be a tedious, irritating pain. Thus, a crafty malware writer will take advantage of the fact people do not have the time to check each and every attachment with each and every sender. So they count on something that looks plausibly legitimate at quick glance to be opened (say an email supposedly from HR).

      Devising an effective training plan is difficult when one might 1 malware attachment in maybe 1000+ attachments.

      1. Palpy

        This: "one might get 1 malware attachment" --

        -- "in maybe 1000+ attachments."

        I get the usual load of emails from industrial vendors, many with attachments or with links. I open very few of them, but now an then one topic is relevant and important enough for me to take a look. And yes, our installation is constrained to pure Windows. My single operable synapse does prompt me to look at file extensions with a skeptical glare, but one can make mistakes. I could probably be spearphished by persistent parties, eventually.

        And the IT department of our parent institution (local government) has just lost its sole remaining network specialist. Directors rotate through like Cheez-Puffs on a lazy susan. Demoralized personnel, chronically short staff -- it's tough times. AFAIK, we have not yet suffered a major breach. My pessimistic nature thinks it's just a matter of time.

        Anyone else in a similar situation, raise your hand?

    4. TaabuTheCat
      Angel

      Re: "look at their 'requested' documentation"

      Why do they open it? Closure - that incredible human *need* to tie up loose ends.

      You've just handed me a wrapped up box with my name on it that could have something REALLY IMPORTANT in it, and you're asking me to just throw it away?? But then I'll never know if it WAS something important. No closure.

      That's why this behavior is so incredibly difficult, if not impossible, to stop.

      1. waldo kitty
        Facepalm

        Re: "look at their 'requested' documentation"

        You've just handed me a wrapped up box with my name on it that could have something REALLY IMPORTANT in it, and you're asking me to just throw it away?? But then I'll never know if it WAS something important. No closure.

        so open it but let me get far away first... when it goes "BOOM!" you'll have your "closure"... Daesh is watching... sooner or later, you will be the suicide bomber instead of their people and all because you just had to open that pretty package they sent you...

  2. Anonymous Coward
    Anonymous Coward

    Let me guess..

    .. it's a risk to machines running Windows?

    Well, yes, nothing new here. Plus ça change.

    I have an idea. If it's considered entirely sane to tax media for the off chance that someone commits piracy with them instead of being smart about it and use the Internet, why can't we tax Windows-equipped computers and fund some task force that can go after these people across borders?

    Why should others suffer because Microsoft can only TALK about security but never actually DO anything, as witnessed by their software, patch after patch after Service Pack after *cough* "up"date *cough*? Your Windows ownership costs should include the cost of compensating others for being part of a botnet and shovelling spam, malware of DDoS at others because that seems to be an almost inevitable consequence.

    1. Charles 9 Silver badge

      Re: Let me guess..

      How do you tackle people across borders when they're protected by sovereignty?

      1. Anonymous Coward
        Anonymous Coward

        Re: Let me guess..

        "How do you tackle people across borders when they're protected by sovereignty?"

        Doesn't seem to be an issue tackling ISIS. (Not the routing daemon, but that doesn't run on Windows either)

        1. Charles 9 Silver badge

          Re: Let me guess..

          "Doesn't seem to be an issue tackling ISIS. (Not the routing daemon, but that doesn't run on Windows either)"

          They're in a physical warzone, plus we've got the permission of the neighbors AND they don't have nukes. It's a different situation from, say, nailing a cybercrim that's secretly being backed by the Russian state (who DOES have nukes).

    2. Wade Burchette
      FAIL

      Re: Let me guess..

      Your idea makes sense because Linux never needs to patched and OS X never needs to patch. They are perfect and if everyone used them, there would never be malware.

      Give me a break. Anything complex program created by imperfect humans is going to have flaws. They use social engineering to trick people and they write the malware in the OS most people use. The weakest part of any computer security is the user. If OS X was the most popular operating system then that is what the malware creators would go after. 1% of 1 billion is higher than 50% of 1 million. You target where the people are, not what is the least secure.

    3. Anonymous Coward
      Anonymous Coward

      Re: Let me guess..

      "Why should others suffer because Microsoft can only TALK about security but never actually DO anything, as witnessed by their software, patch after patch after Service Pack after *cough* "up"date *cough*? Your Windows ownership costs should include the cost of compensating others for being part of a botnet and shovelling spam, malware of DDoS at others because that seems to be an almost inevitable consequence."

      I would settle for a PC that does today what it was doing yesterday before being shutdown. At this very second, I couldn't care less about it being secure, just that it worked. Windows POS.

      1. waldo kitty
        Trollface

        Re: Let me guess..

        I would settle for a PC that does today what it was doing yesterday before being shutdown.

        do you mean when it was hijacking and encrypting your files before demanding ransom? ;)

  3. Shadow Systems Silver badge

    If it's corporate then the minions don't care.

    The minions sitting at their desks & doing the mindless daily drudge to earn their honest dollar aren't PAID to think about security, so they don't think about security, & will blithely click that trojan-laden phishing email that appears to be from some random Nigerian Prince with an invoice attached.

    It's not their personal computer, it's not their personal data, & it doesn't come out of their hides if the email hoses the network. Since they're not paid to think then they aren't going to think. You want them to give a fuck about security then you have to PAY them enough to care. But the minions at the bottom that get paid fuck-all to do the stuff from the bottom of the corporate barrel? They don't get paid enough to care so they won't & thus your network ultimately depends on folks you refuse to pay or treat very well. Vicious cycle isn't it?

    You can have your NetAdmins lock down the infrastructure to the point where it's totally secure, but that involves turning everything off, encasing each computer in concrete, & sinking it in the Marianas Trench. If the Admins loosen the noose enough so your employees can actually Get Shit Done then that loosened noose is loose enough to hang you with. Trying to find the razor-thin balancing point between enough security so they can function & enough to protect corporate assets is such a daily grind in-&-of-itself that your Admins may throw up their hands & give up in frustration.

    So the people at the bottom that open the most email & thus put you at the greatest risk of getting fucked over are the very same people you pay the least, treat the worst, & consider as mere cogs to be outsourced to some Third-World-Hell-hole so you can give yourselves another couple of million boost to your already fat pockets. Yeah, that seems to be doing well doesn't it?

    1. Anonymous Coward
      Anonymous Coward

      Re: If it's corporate then the minions don't care.

      "It's not their personal computer, it's not their personal data, & it doesn't come out of their hides if the email hoses the network."

      Isn't it SOP that the sop that started the infection gets the liability, is likely fired, and may be referred to the police on negligence charges if the situation's bad enough? I would think threat of termination in and of itself would provide quite the stick.

      1. This post has been deleted by its author

        1. a_yank_lurker Silver badge

          Re: If it's corporate then the minions don't care.

          Those at the bottom are generally treated a completely replaceable drones and they know it. They and several levels above them also know they are likely to be the scapegoats if any are needed. Whether any of them did anything wrong is irrelevant, they know they will be shit-canned if the PHB and buddies need to protect themselves.

          1. Charles 9 Silver badge

            Re: If it's corporate then the minions don't care.

            But such a hostile environment invites ship-jumping, which may not be desirable since they could take secrets with them they'd have sod all ability to block.

      2. Anonymous Coward
        Anonymous Coward

        Re: If it's corporate then the minions don't care.

        " I would think threat of termination in and of itself would provide quite the stick"

        Ahh, yes, but then, you probably have a good job, unlike hoards of min wagers.

        I would put my 2 bit coin ransom in the "head on a pole" box.

  4. Anonymous Coward
    Anonymous Coward

    New starter at work today decided to login to webmail from their outgoing company, downloaded and opened a .docm file from a unsolicited email pretending to be a scanner which has infected our file shares with this virus.

    Watch out.

    1. Anonymous Coward
      Anonymous Coward

      Why would someone thumbs down my post. Talk about lack of empethy for a fellow IT man in the trenches.

  5. Aodhhan Bronze badge

    Just goes back to the old saying...

    Whenever you provide defense in-depth in order to make security idiot proof; someone builds a better idiot.

    Yes yes, thank you all for the obvious, "lock down the system". A little hard to lock down a system to where a user doesn't have any privileges on the system or their own file system.

    In a corporation or business which only provides cybersecurity training once a year, approximately 20% of users will still open the email.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019