floyd197
asked on
Ecryped with Zepto Ransomware
Had a call on Friday regarding a PC or Pc's that are infected with Zepto ransoware.
The problem started with one of the tills "going down" and not working as it should so they called
the people who look after the specialized till software who came in remotely to a PC which they
look after and acts as a serverfor their software. After looking around in one of their system folders
they found an html file called _1_HELP_instructions.html.
then displays the standard all of your files are encrypted etc. In the folder there are also 3 files with a
zepto extension which may jut be word documents and may not affect how the program works.
They then said that this is why it wasn't working properly and this type of infection is probably caused by an email. The pc in question isn't used for anything else apart from running this softare and linking to the tills. There is no email account on it.
In the same room there is another pc that does use email. This is by the look of it also affected with the Zepto as all the word documents have the html file and the .zepo extension.
It is obviously infected but this pc has Norton3 60 Premier on it so if the user had opened an infected email wouldn't this have stopped it.
I called in yesterday to have a look and have run full Norton scan and also malwarebytes but
it comes back clean.
I have also looked at the Norton logs on the day in question - I was told the problem started around 11am on the 15th of July but there doesn't appear to be any infections for that day.
I Suspect that this pc has infected the other that is at least what the sofware people are suggesting.
Would it be possible to spread in this way.
Any thoughts or suggestions would be welcome
The problem started with one of the tills "going down" and not working as it should so they called
the people who look after the specialized till software who came in remotely to a PC which they
look after and acts as a serverfor their software. After looking around in one of their system folders
they found an html file called _1_HELP_instructions.html.
then displays the standard all of your files are encrypted etc. In the folder there are also 3 files with a
zepto extension which may jut be word documents and may not affect how the program works.
They then said that this is why it wasn't working properly and this type of infection is probably caused by an email. The pc in question isn't used for anything else apart from running this softare and linking to the tills. There is no email account on it.
In the same room there is another pc that does use email. This is by the look of it also affected with the Zepto as all the word documents have the html file and the .zepo extension.
It is obviously infected but this pc has Norton3 60 Premier on it so if the user had opened an infected email wouldn't this have stopped it.
I called in yesterday to have a look and have run full Norton scan and also malwarebytes but
it comes back clean.
I have also looked at the Norton logs on the day in question - I was told the problem started around 11am on the 15th of July but there doesn't appear to be any infections for that day.
I Suspect that this pc has infected the other that is at least what the sofware people are suggesting.
Would it be possible to spread in this way.
Any thoughts or suggestions would be welcome
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
The crypto virus in general encrypts the files and then goes away. So if the scans come back clean (including Malwarebytes) then you are probably OK. We cannot say with 100% certainty.
Keep a good backup of everything away from your network and go back into operation.
If it quickly occurs again, then format your machines and reinstall Windows.
Keep a good backup of everything away from your network and go back into operation.
If it quickly occurs again, then format your machines and reinstall Windows.
ASKER
Always a difficut one to answer but should Norton 360 have prevented this
The crypto stuff (the new ones) seem to be able to evade AV. That is why they are so common.
ASKER
Will speak to the user tomorrow but Would this generally be caused by opening
an attachment not just clicking on an email
an attachment not just clicking on an email
I don't regard any norton/symantec stuff to be reliable in any way, so I'm not in the least surprised that it didn't the infection. But even a lot of reliable AV tools won't be able to detect ransomware, particularly if it is a new strain. You must be aware that those who create those things are always ahead of the AV tools. All they can do is react when something new has been discovered.
Most ransomware starts when you open an attachment from an email, which then starts a macro or script, or it can also start if you visit an infected website.
It doesn't automatically infect other PC on the LAN, but many can encrypt files that are on the LAN. Or for example if a file that is infected by the virus is saved on the server, and then opened by another PC, then this other PC will also get infected and start encrypting. So that is likely what happened on the PC that isn't used for email.
The only effective way you can avoid such stuff is user education, never use accounts with admin rights, do application whitelisting (only programs that have been OK'd can be executed), disable the execution of macro's, etc. And of course make sure you have a good backup strategy (that of course is necessary anyway, not just to protect against viruses).
Most ransomware starts when you open an attachment from an email, which then starts a macro or script, or it can also start if you visit an infected website.
It doesn't automatically infect other PC on the LAN, but many can encrypt files that are on the LAN. Or for example if a file that is infected by the virus is saved on the server, and then opened by another PC, then this other PC will also get infected and start encrypting. So that is likely what happened on the PC that isn't used for email.
The only effective way you can avoid such stuff is user education, never use accounts with admin rights, do application whitelisting (only programs that have been OK'd can be executed), disable the execution of macro's, etc. And of course make sure you have a good backup strategy (that of course is necessary anyway, not just to protect against viruses).
Zepto is a variant or a mutation of locky ransomware , it has the same code base , just a different extention and uses different domains for the c2 server and they changed the signature of the binary to evade AV engines
Its very easy to avoid Av engines , im not an expert in malware Analysis but just to show you how simple it is to avoid AV'S:
Once i tried Hex-editing a virus , and sending it to the Metadefender cloud scanner(it scans with 41 different av's just to see how these various AV's React to simple things) , guess what happend detection rate droped just by editing a one to a 0 .
I puted it in a Zip folder , Changed the extension name , and puted it in another zip folder(since most av's scans zip so ... i guessed they would detect this ?) , more then half of the anti viruses cant detect it
This is simple stuff , Malware editors use way more complicated things , polymorphic or encrypted code segments are the norm nowadays ... ,Only Antivirus'es that can monitor Behavior , and do heuristic analysis can catch this ...and no md5 or sha1 do not catch mutation ,and its not just about catching system calls ...
Norton being popular and widely used its the ideal target of most hackers out there so they will make sure before deploying it it avoids detection .
If you still didnt Nuke with 0's and re image that PC , you could send an infected piece to the Meta scan web site ( scans with 4x well known antivirus engines and you could see how different anti virus react to this
as to your question Perhaps a document carrying that payload was opened on the pc not using email ? or maybe some shared folder ?
Maybe you can talk to the network team to add " IP/Network blacklists" of well know malware and ransomware so they block them , a user on Github merged Some Good lists on their account .
Its very easy to avoid Av engines , im not an expert in malware Analysis but just to show you how simple it is to avoid AV'S:
Once i tried Hex-editing a virus , and sending it to the Metadefender cloud scanner(it scans with 41 different av's just to see how these various AV's React to simple things) , guess what happend detection rate droped just by editing a one to a 0 .
I puted it in a Zip folder , Changed the extension name , and puted it in another zip folder(since most av's scans zip so ... i guessed they would detect this ?) , more then half of the anti viruses cant detect it
This is simple stuff , Malware editors use way more complicated things , polymorphic or encrypted code segments are the norm nowadays ... ,Only Antivirus'es that can monitor Behavior , and do heuristic analysis can catch this ...and no md5 or sha1 do not catch mutation ,and its not just about catching system calls ...
Norton being popular and widely used its the ideal target of most hackers out there so they will make sure before deploying it it avoids detection .
If you still didnt Nuke with 0's and re image that PC , you could send an infected piece to the Meta scan web site ( scans with 4x well known antivirus engines and you could see how different anti virus react to this
as to your question Perhaps a document carrying that payload was opened on the pc not using email ? or maybe some shared folder ?
Maybe you can talk to the network team to add " IP/Network blacklists" of well know malware and ransomware so they block them , a user on Github merged Some Good lists on their account .
maybe this can be scripted to prevent such incidents using an api of such services (anti virus cloud services), Some sort of email relay or proxy , for every incoming email :
if there is an attachement it would be uploaded and scanned by such services like metascan or virus total , then if clean sent to it's recipient , if not sent to a Quarantine Folder some where .
If no attachement email relayed to the inbox directly.
just an idea hmm ...
if there is an attachement it would be uploaded and scanned by such services like metascan or virus total , then if clean sent to it's recipient , if not sent to a Quarantine Folder some where .
If no attachement email relayed to the inbox directly.
just an idea hmm ...
Would this generally be caused by opening an attachment not just clicking on an email <-- It could be either but I think opening an attachment is common.
Make sure they have an outstanding spam filter.
Teach people NOT to open emails from strangers, Delete such emails.
Make sure they have an outstanding spam filter.
Teach people NOT to open emails from strangers, Delete such emails.
ASKER
Thanks for all the suggestions. Looks like it had affected some of the files on the server so the software people had to restore from a Backup.
Thanks for the update and I was happy to help
Internet / Email Software
An email client, email reader or more formally mail user agent (MUA) is a computer program used to access and manage a user's email. A web application that provides message management, composition, and reception functions is sometimes also considered an email client, but more commonly referred to as webmail.
4K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
Obviously the damage has been done but if no infections are founds is it safe to say the
PCs are clean
Thanks