Ecryped with Zepto Ransomware

Had a call on Friday regarding a PC or Pc's that are infected with Zepto ransoware.

The problem started with one of the tills "going down" and not working as it should so they called
the people who look after the specialized till software who came in remotely to a PC which they
look after and acts as a serverfor their software. After looking around in one of their system folders
they found an html file called _1_HELP_instructions.html. They must have then opened this which
then displays the standard all of your files are encrypted etc. In the folder there are also 3 files with a
zepto extension which may jut be word documents and may not affect how the program works.

They then said that this is why it wasn't working properly and this type of infection is probably caused by an email. The pc in question isn't used for anything else apart from running this softare and linking to the tills. There is no email account on it.

In the same room there is another pc that does use email. This is by the look of it also affected with the Zepto as all the word documents have the html file and the .zepo extension.

It is obviously infected but this pc has Norton3 60 Premier on it so if the user had opened an infected email wouldn't this have stopped it.

I called in yesterday to have a look and have run  full Norton scan and also malwarebytes but
it comes back clean.

I have also looked at the Norton logs on the day in question - I was told the problem started around 11am on the 15th of July but there doesn't appear to be any infections for that day.

I Suspect that this pc has infected the other that is at least what the sofware people are suggesting.

Would it be possible to spread in this way.

Any thoughts or suggestions would be welcome
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
If the computers are on a network (and probably are), then, yes, this is how it spreads.

You need to scan all machines with your own AV and then with Malwarebytes to remove the virus.
Then you must restore documents from backups.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
floyd197Author Commented:
They are all networked. I have scaned the machines in question and the are coming back clean.

Obviously the damage has been done but if no infections are founds is it safe to say the
PCs are clean

JohnBusiness Consultant (Owner)Commented:
The crypto virus in general encrypts the files and then goes away. So if the scans come back clean (including Malwarebytes) then you are probably OK. We cannot say with 100% certainty.

Keep a good backup of everything away from your network and go back into operation.

If it quickly occurs again, then format your machines and reinstall Windows.
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

floyd197Author Commented:
Always a difficut one to answer but should Norton 360 have prevented this
JohnBusiness Consultant (Owner)Commented:
The crypto stuff (the new ones) seem to be able to evade AV. That is why they are so common.
floyd197Author Commented:
Will speak to the user tomorrow but Would this generally be caused by opening
an attachment not just clicking on an email
I don't regard any norton/symantec stuff to be reliable in any way, so I'm not in the least surprised that it didn't the infection. But even a lot of reliable AV tools won't be able to detect ransomware, particularly if it is a new strain. You must be aware that those who create those things are always ahead of the AV tools. All they can do is react when something new has been discovered.

Most ransomware starts when you open an attachment from an email, which then starts a macro or script, or it can also start if you visit an infected website.

It doesn't automatically infect other PC on the LAN, but many can encrypt files that are on the LAN. Or for example if a file that is infected by the virus is saved on the server, and then opened by another PC, then this other PC will also get infected and start encrypting. So that is likely what happened on the PC that isn't used for email.

The only effective way you can avoid such stuff is user education, never use accounts with admin rights, do application whitelisting (only programs that have been OK'd can be executed), disable the execution of macro's, etc. And of course make sure you have a good backup strategy (that of course is necessary anyway, not just to protect against viruses).
Maidine FouadEngineerCommented:
Zepto is a variant or a mutation of locky ransomware , it has the same code base , just a different extention and uses different domains for the c2 server and they changed the signature of the binary to evade AV engines

Its very easy to avoid Av engines , im not an expert in malware Analysis but just to show you how simple it is to avoid AV'S:

Once i tried Hex-editing a virus , and sending it to the Metadefender cloud scanner(it scans with 41 different av's just to see how these various AV's React to simple things) , guess what happend detection rate droped just by editing a one to a 0 .

I puted it in a Zip folder , Changed the extension name , and puted it in another zip folder(since most av's scans zip so ... i guessed they would detect this ?) , more then half of the anti viruses cant detect it

This is simple stuff , Malware editors use way more complicated things , polymorphic or encrypted code segments are the norm nowadays ... ,Only Antivirus'es that can monitor Behavior , and do heuristic analysis can catch this ...and no md5 or sha1 do not catch mutation ,and its not just about catching system calls ...

Norton being popular and widely used its the ideal target of most hackers out there so they will make sure before deploying it it avoids detection .

If you still didnt Nuke with 0's and re image that PC , you could send an infected piece to the Meta scan web site ( scans with 4x well known antivirus engines and you could see how different anti virus react to this

as to your question Perhaps a document carrying that payload was opened on the pc not using email ? or maybe some shared folder ?  

Maybe you can talk to the network team to add " IP/Network blacklists" of well know malware and ransomware so they block them , a user on Github merged Some Good lists on their account .
Maidine FouadEngineerCommented:
maybe this can be scripted to prevent such incidents using an api of such services (anti virus cloud services), Some sort of email relay or proxy , for every incoming email :

if there is an attachement it would be uploaded and scanned by such services like metascan or virus total , then if clean sent to it's recipient , if not sent to a Quarantine Folder some where .

If no attachement email relayed to the inbox directly.

just an idea hmm ...
JohnBusiness Consultant (Owner)Commented:
Would this generally be caused by opening an attachment not just clicking on an email  <-- It could be either but I think opening an attachment is common.

Make sure they have an outstanding spam filter.

Teach people NOT to open emails from strangers,  Delete such emails.
floyd197Author Commented:
Thanks for all the suggestions. Looks like it had affected some of the files on the server so the software people had to restore from a Backup.
JohnBusiness Consultant (Owner)Commented:
Thanks for the update and I was happy to help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.