Solved

Ecryped with Zepto Ransomware

Posted on 2016-07-17
12
214 Views
Last Modified: 2016-08-02
Had a call on Friday regarding a PC or Pc's that are infected with Zepto ransoware.

The problem started with one of the tills "going down" and not working as it should so they called
the people who look after the specialized till software who came in remotely to a PC which they
look after and acts as a serverfor their software. After looking around in one of their system folders
they found an html file called _1_HELP_instructions.html. They must have then opened this which
then displays the standard all of your files are encrypted etc. In the folder there are also 3 files with a
zepto extension which may jut be word documents and may not affect how the program works.

They then said that this is why it wasn't working properly and this type of infection is probably caused by an email. The pc in question isn't used for anything else apart from running this softare and linking to the tills. There is no email account on it.

In the same room there is another pc that does use email. This is by the look of it also affected with the Zepto as all the word documents have the html file and the .zepo extension.

It is obviously infected but this pc has Norton3 60 Premier on it so if the user had opened an infected email wouldn't this have stopped it.

I called in yesterday to have a look and have run  full Norton scan and also malwarebytes but
it comes back clean.

I have also looked at the Norton logs on the day in question - I was told the problem started around 11am on the 15th of July but there doesn't appear to be any infections for that day.


I Suspect that this pc has infected the other that is at least what the sofware people are suggesting.

Would it be possible to spread in this way.

Any thoughts or suggestions would be welcome
0
Comment
Question by:floyd197
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 95

Accepted Solution

by:
John Hurst earned 500 total points
ID: 41715760
If the computers are on a network (and probably are), then, yes, this is how it spreads.

You need to scan all machines with your own AV and then with Malwarebytes to remove the virus.
Then you must restore documents from backups.
0
 

Author Comment

by:floyd197
ID: 41715765
They are all networked. I have scaned the machines in question and the are coming back clean.

Obviously the damage has been done but if no infections are founds is it safe to say the
PCs are clean

Thanks
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41715767
The crypto virus in general encrypts the files and then goes away. So if the scans come back clean (including Malwarebytes) then you are probably OK. We cannot say with 100% certainty.

Keep a good backup of everything away from your network and go back into operation.

If it quickly occurs again, then format your machines and reinstall Windows.
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 

Author Comment

by:floyd197
ID: 41715769
Always a difficut one to answer but should Norton 360 have prevented this
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41715770
The crypto stuff (the new ones) seem to be able to evade AV. That is why they are so common.
0
 

Author Comment

by:floyd197
ID: 41715774
Will speak to the user tomorrow but Would this generally be caused by opening
an attachment not just clicking on an email
0
 
LVL 88

Expert Comment

by:rindi
ID: 41715792
I don't regard any norton/symantec stuff to be reliable in any way, so I'm not in the least surprised that it didn't the infection. But even a lot of reliable AV tools won't be able to detect ransomware, particularly if it is a new strain. You must be aware that those who create those things are always ahead of the AV tools. All they can do is react when something new has been discovered.

Most ransomware starts when you open an attachment from an email, which then starts a macro or script, or it can also start if you visit an infected website.

It doesn't automatically infect other PC on the LAN, but many can encrypt files that are on the LAN. Or for example if a file that is infected by the virus is saved on the server, and then opened by another PC, then this other PC will also get infected and start encrypting. So that is likely what happened on the PC that isn't used for email.

The only effective way you can avoid such stuff is user education, never use accounts with admin rights, do application whitelisting (only programs that have been OK'd can be executed), disable the execution of macro's, etc. And of course make sure you have a good backup strategy (that of course is necessary anyway, not just to protect against viruses).
1
 
LVL 7

Expert Comment

by:Fouad Maidine
ID: 41715811
Zepto is a variant or a mutation of locky ransomware , it has the same code base , just a different extention and uses different domains for the c2 server and they changed the signature of the binary to evade AV engines

Its very easy to avoid Av engines , im not an expert in malware Analysis but just to show you how simple it is to avoid AV'S:

Once i tried Hex-editing a virus , and sending it to the Metadefender cloud scanner(it scans with 41 different av's just to see how these various AV's React to simple things) , guess what happend detection rate droped just by editing a one to a 0 .

I puted it in a Zip folder , Changed the extension name , and puted it in another zip folder(since most av's scans zip so ... i guessed they would detect this ?) , more then half of the anti viruses cant detect it

This is simple stuff , Malware editors use way more complicated things , polymorphic or encrypted code segments are the norm nowadays ... ,Only Antivirus'es that can monitor Behavior , and do heuristic analysis can catch this ...and no md5 or sha1 do not catch mutation ,and its not just about catching system calls ...

Norton being popular and widely used its the ideal target of most hackers out there so they will make sure before deploying it it avoids detection .

If you still didnt Nuke with 0's and re image that PC , you could send an infected piece to the Meta scan web site ( scans with 4x well known antivirus engines and you could see how different anti virus react to this

as to your question Perhaps a document carrying that payload was opened on the pc not using email ? or maybe some shared folder ?  

Maybe you can talk to the network team to add " IP/Network blacklists" of well know malware and ransomware so they block them , a user on Github merged Some Good lists on their account .
0
 
LVL 7

Expert Comment

by:Fouad Maidine
ID: 41715833
maybe this can be scripted to prevent such incidents using an api of such services (anti virus cloud services), Some sort of email relay or proxy , for every incoming email :

if there is an attachement it would be uploaded and scanned by such services like metascan or virus total , then if clean sent to it's recipient , if not sent to a Quarantine Folder some where .

If no attachement email relayed to the inbox directly.

just an idea hmm ...
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41715965
Would this generally be caused by opening an attachment not just clicking on an email  <-- It could be either but I think opening an attachment is common.

Make sure they have an outstanding spam filter.

Teach people NOT to open emails from strangers,  Delete such emails.
0
 

Author Comment

by:floyd197
ID: 41722972
Thanks for all the suggestions. Looks like it had affected some of the files on the server so the software people had to restore from a Backup.
0
 
LVL 95

Expert Comment

by:John Hurst
ID: 41739699
Thanks for the update and I was happy to help
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Touch screen experience for personal computers, improved security, and performance have made Windows 8 a great hit amongst users. If you are an Outlook user and thinking of or have upgraded to Win 8 or 8.1, then here are some guidelines that may pro…
Are you using email marketing software? If not, you're missing out on effortless marketing and the reaching of desired conversion rates through email marketing software.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question