Solved

Ecryped with Zepto Ransomware

Posted on 2016-07-17
12
187 Views
Last Modified: 2016-08-02
Had a call on Friday regarding a PC or Pc's that are infected with Zepto ransoware.

The problem started with one of the tills "going down" and not working as it should so they called
the people who look after the specialized till software who came in remotely to a PC which they
look after and acts as a serverfor their software. After looking around in one of their system folders
they found an html file called _1_HELP_instructions.html. They must have then opened this which
then displays the standard all of your files are encrypted etc. In the folder there are also 3 files with a
zepto extension which may jut be word documents and may not affect how the program works.

They then said that this is why it wasn't working properly and this type of infection is probably caused by an email. The pc in question isn't used for anything else apart from running this softare and linking to the tills. There is no email account on it.

In the same room there is another pc that does use email. This is by the look of it also affected with the Zepto as all the word documents have the html file and the .zepo extension.

It is obviously infected but this pc has Norton3 60 Premier on it so if the user had opened an infected email wouldn't this have stopped it.

I called in yesterday to have a look and have run  full Norton scan and also malwarebytes but
it comes back clean.

I have also looked at the Norton logs on the day in question - I was told the problem started around 11am on the 15th of July but there doesn't appear to be any infections for that day.


I Suspect that this pc has infected the other that is at least what the sofware people are suggesting.

Would it be possible to spread in this way.

Any thoughts or suggestions would be welcome
0
Comment
Question by:floyd197
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
Comment Utility
If the computers are on a network (and probably are), then, yes, this is how it spreads.

You need to scan all machines with your own AV and then with Malwarebytes to remove the virus.
Then you must restore documents from backups.
0
 

Author Comment

by:floyd197
Comment Utility
They are all networked. I have scaned the machines in question and the are coming back clean.

Obviously the damage has been done but if no infections are founds is it safe to say the
PCs are clean

Thanks
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
The crypto virus in general encrypts the files and then goes away. So if the scans come back clean (including Malwarebytes) then you are probably OK. We cannot say with 100% certainty.

Keep a good backup of everything away from your network and go back into operation.

If it quickly occurs again, then format your machines and reinstall Windows.
0
 

Author Comment

by:floyd197
Comment Utility
Always a difficut one to answer but should Norton 360 have prevented this
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
The crypto stuff (the new ones) seem to be able to evade AV. That is why they are so common.
0
 

Author Comment

by:floyd197
Comment Utility
Will speak to the user tomorrow but Would this generally be caused by opening
an attachment not just clicking on an email
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 87

Expert Comment

by:rindi
Comment Utility
I don't regard any norton/symantec stuff to be reliable in any way, so I'm not in the least surprised that it didn't the infection. But even a lot of reliable AV tools won't be able to detect ransomware, particularly if it is a new strain. You must be aware that those who create those things are always ahead of the AV tools. All they can do is react when something new has been discovered.

Most ransomware starts when you open an attachment from an email, which then starts a macro or script, or it can also start if you visit an infected website.

It doesn't automatically infect other PC on the LAN, but many can encrypt files that are on the LAN. Or for example if a file that is infected by the virus is saved on the server, and then opened by another PC, then this other PC will also get infected and start encrypting. So that is likely what happened on the PC that isn't used for email.

The only effective way you can avoid such stuff is user education, never use accounts with admin rights, do application whitelisting (only programs that have been OK'd can be executed), disable the execution of macro's, etc. And of course make sure you have a good backup strategy (that of course is necessary anyway, not just to protect against viruses).
1
 
LVL 7

Expert Comment

by:Fouad Maidine
Comment Utility
Zepto is a variant or a mutation of locky ransomware , it has the same code base , just a different extention and uses different domains for the c2 server and they changed the signature of the binary to evade AV engines

Its very easy to avoid Av engines , im not an expert in malware Analysis but just to show you how simple it is to avoid AV'S:

Once i tried Hex-editing a virus , and sending it to the Metadefender cloud scanner(it scans with 41 different av's just to see how these various AV's React to simple things) , guess what happend detection rate droped just by editing a one to a 0 .

I puted it in a Zip folder , Changed the extension name , and puted it in another zip folder(since most av's scans zip so ... i guessed they would detect this ?) , more then half of the anti viruses cant detect it

This is simple stuff , Malware editors use way more complicated things , polymorphic or encrypted code segments are the norm nowadays ... ,Only Antivirus'es that can monitor Behavior , and do heuristic analysis can catch this ...and no md5 or sha1 do not catch mutation ,and its not just about catching system calls ...

Norton being popular and widely used its the ideal target of most hackers out there so they will make sure before deploying it it avoids detection .

If you still didnt Nuke with 0's and re image that PC , you could send an infected piece to the Meta scan web site ( scans with 4x well known antivirus engines and you could see how different anti virus react to this

as to your question Perhaps a document carrying that payload was opened on the pc not using email ? or maybe some shared folder ?  

Maybe you can talk to the network team to add " IP/Network blacklists" of well know malware and ransomware so they block them , a user on Github merged Some Good lists on their account .
0
 
LVL 7

Expert Comment

by:Fouad Maidine
Comment Utility
maybe this can be scripted to prevent such incidents using an api of such services (anti virus cloud services), Some sort of email relay or proxy , for every incoming email :

if there is an attachement it would be uploaded and scanned by such services like metascan or virus total , then if clean sent to it's recipient , if not sent to a Quarantine Folder some where .

If no attachement email relayed to the inbox directly.

just an idea hmm ...
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Would this generally be caused by opening an attachment not just clicking on an email  <-- It could be either but I think opening an attachment is common.

Make sure they have an outstanding spam filter.

Teach people NOT to open emails from strangers,  Delete such emails.
0
 

Author Comment

by:floyd197
Comment Utility
Thanks for all the suggestions. Looks like it had affected some of the files on the server so the software people had to restore from a Backup.
0
 
LVL 90

Expert Comment

by:John Hurst
Comment Utility
Thanks for the update and I was happy to help
0

Featured Post

Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

Join & Write a Comment

Microsoft goes to great lengths to ensure that the users don’t encounter issues while working with MS Outlook. But errors are inevitable and can occur when you least expect them. One of such errors which are encountered in Outlook is Error 0x800ccc1…
A high-level exploration of how our ever-increasing access to information has changed the way we do our jobs.
In this Experts Exchange video Micro Tutorial, I'm going to show how small business owners who use Google Apps can save money by setting up what is called a catch-all email address in their Gmail accounts. By using the catch-all feature, small busin…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now