A dangerous new ransomware variant based on the Locky ransomware has security experts worried.
The Zepto malware has been carried in nearly 140,000 spam messages sent over four days last week.
The ransomware appears to have Locky's capabilities which could make it one of the more dangerous encryption lockers in circulation.
Cisco malware researcher Warren Mercer says the team found 3305 unique samples among the spam haul.
"[Spamming operations] began Monday 27 June with approximately 4000 emails being caught within our email security appliances," Mercer says.
"The user was tricked with various subject lines as shown below and with various sender profiles such as 'CEO' or 'VP of Sales' to further encourage the user.
"The body of the emails were generally urging the user to look at their 'requested' documentation."
An example phishing email.
Attached malicious zip files were cleverly named based on the victim's email address, an underscore, and a random number.
The attack is new malware on an old vector, Mercer says, one that is gaining momentum.
"Our adversaries do not care as to what they destroy or ransom from you, they simply care about … payment."
Locky is a dangerous as-yet unbroken ransomware that helped the authors of the Nuclear exploit kit to score US$12 million in revenue from 1.8 million attacks cast over one month.
Monthly income for developers sits around US$100,000.
He warns businesses to keep backups of all critical data. Those should be offline or otherwise not readily accessible from machines which may be at risk from ransomware infection.
Talos has uploaded the indicator of compromise hashes for the benefit of security admins. ®