Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Ecryped with Zepto Ransomware

Posted on 2016-07-17
Medium Priority
Last Modified: 2016-08-02
Had a call on Friday regarding a PC or Pc's that are infected with Zepto ransoware.

The problem started with one of the tills "going down" and not working as it should so they called
the people who look after the specialized till software who came in remotely to a PC which they
look after and acts as a serverfor their software. After looking around in one of their system folders
they found an html file called _1_HELP_instructions.html. They must have then opened this which
then displays the standard all of your files are encrypted etc. In the folder there are also 3 files with a
zepto extension which may jut be word documents and may not affect how the program works.

They then said that this is why it wasn't working properly and this type of infection is probably caused by an email. The pc in question isn't used for anything else apart from running this softare and linking to the tills. There is no email account on it.

In the same room there is another pc that does use email. This is by the look of it also affected with the Zepto as all the word documents have the html file and the .zepo extension.

It is obviously infected but this pc has Norton3 60 Premier on it so if the user had opened an infected email wouldn't this have stopped it.

I called in yesterday to have a look and have run  full Norton scan and also malwarebytes but
it comes back clean.

I have also looked at the Norton logs on the day in question - I was told the problem started around 11am on the 15th of July but there doesn't appear to be any infections for that day.

I Suspect that this pc has infected the other that is at least what the sofware people are suggesting.

Would it be possible to spread in this way.

Any thoughts or suggestions would be welcome
Question by:floyd197
  • 5
  • 4
  • 2
  • +1
LVL 100

Accepted Solution

John Hurst earned 2000 total points
ID: 41715760
If the computers are on a network (and probably are), then, yes, this is how it spreads.

You need to scan all machines with your own AV and then with Malwarebytes to remove the virus.
Then you must restore documents from backups.

Author Comment

ID: 41715765
They are all networked. I have scaned the machines in question and the are coming back clean.

Obviously the damage has been done but if no infections are founds is it safe to say the
PCs are clean

LVL 100

Expert Comment

by:John Hurst
ID: 41715767
The crypto virus in general encrypts the files and then goes away. So if the scans come back clean (including Malwarebytes) then you are probably OK. We cannot say with 100% certainty.

Keep a good backup of everything away from your network and go back into operation.

If it quickly occurs again, then format your machines and reinstall Windows.
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.


Author Comment

ID: 41715769
Always a difficut one to answer but should Norton 360 have prevented this
LVL 100

Expert Comment

by:John Hurst
ID: 41715770
The crypto stuff (the new ones) seem to be able to evade AV. That is why they are so common.

Author Comment

ID: 41715774
Will speak to the user tomorrow but Would this generally be caused by opening
an attachment not just clicking on an email
LVL 88

Expert Comment

ID: 41715792
I don't regard any norton/symantec stuff to be reliable in any way, so I'm not in the least surprised that it didn't the infection. But even a lot of reliable AV tools won't be able to detect ransomware, particularly if it is a new strain. You must be aware that those who create those things are always ahead of the AV tools. All they can do is react when something new has been discovered.

Most ransomware starts when you open an attachment from an email, which then starts a macro or script, or it can also start if you visit an infected website.

It doesn't automatically infect other PC on the LAN, but many can encrypt files that are on the LAN. Or for example if a file that is infected by the virus is saved on the server, and then opened by another PC, then this other PC will also get infected and start encrypting. So that is likely what happened on the PC that isn't used for email.

The only effective way you can avoid such stuff is user education, never use accounts with admin rights, do application whitelisting (only programs that have been OK'd can be executed), disable the execution of macro's, etc. And of course make sure you have a good backup strategy (that of course is necessary anyway, not just to protect against viruses).

Expert Comment

by:Maidine Fouad
ID: 41715811
Zepto is a variant or a mutation of locky ransomware , it has the same code base , just a different extention and uses different domains for the c2 server and they changed the signature of the binary to evade AV engines

Its very easy to avoid Av engines , im not an expert in malware Analysis but just to show you how simple it is to avoid AV'S:

Once i tried Hex-editing a virus , and sending it to the Metadefender cloud scanner(it scans with 41 different av's just to see how these various AV's React to simple things) , guess what happend detection rate droped just by editing a one to a 0 .

I puted it in a Zip folder , Changed the extension name , and puted it in another zip folder(since most av's scans zip so ... i guessed they would detect this ?) , more then half of the anti viruses cant detect it

This is simple stuff , Malware editors use way more complicated things , polymorphic or encrypted code segments are the norm nowadays ... ,Only Antivirus'es that can monitor Behavior , and do heuristic analysis can catch this ...and no md5 or sha1 do not catch mutation ,and its not just about catching system calls ...

Norton being popular and widely used its the ideal target of most hackers out there so they will make sure before deploying it it avoids detection .

If you still didnt Nuke with 0's and re image that PC , you could send an infected piece to the Meta scan web site ( scans with 4x well known antivirus engines and you could see how different anti virus react to this

as to your question Perhaps a document carrying that payload was opened on the pc not using email ? or maybe some shared folder ?  

Maybe you can talk to the network team to add " IP/Network blacklists" of well know malware and ransomware so they block them , a user on Github merged Some Good lists on their account .

Expert Comment

by:Maidine Fouad
ID: 41715833
maybe this can be scripted to prevent such incidents using an api of such services (anti virus cloud services), Some sort of email relay or proxy , for every incoming email :

if there is an attachement it would be uploaded and scanned by such services like metascan or virus total , then if clean sent to it's recipient , if not sent to a Quarantine Folder some where .

If no attachement email relayed to the inbox directly.

just an idea hmm ...
LVL 100

Expert Comment

by:John Hurst
ID: 41715965
Would this generally be caused by opening an attachment not just clicking on an email  <-- It could be either but I think opening an attachment is common.

Make sure they have an outstanding spam filter.

Teach people NOT to open emails from strangers,  Delete such emails.

Author Comment

ID: 41722972
Thanks for all the suggestions. Looks like it had affected some of the files on the server so the software people had to restore from a Backup.
LVL 100

Expert Comment

by:John Hurst
ID: 41739699
Thanks for the update and I was happy to help

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Zimbra is famous for its platform independency, ability to manage multiple user accounts, easy assimilation with 3rd party applications, social network certification etc. Here, we discuss about how users can move multiple Zimbra user accounts to Exc…
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question