Solved

Decrypting the Zepto Virus

Posted on 2016-07-26
21
598 Views
Last Modified: 2016-07-28
Hi,
My computer was lucky enough to attain the .Zepto virus. I was able to remove the virus but I was too late and it has already encrypted some of the files. How do i deencrypt those files?
0
Comment
Question by:Member_2_7969421
  • 9
  • 8
  • 2
  • +2
21 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41730473
You cannot. Forget it. It could take decades to brute force the encryption if at all.
0
 

Author Comment

by:Member_2_7969421
ID: 41730495
Okay how about one or two specific files?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41730497
Same thing. It takes forever to decrypt these things. It is not practical
0
 

Author Comment

by:Member_2_7969421
ID: 41730498
Well maybe you can explain the process to decrypt. Or another way to work around the issue. I've tried system restore but it didn't work...
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41730499
Encryption requires a brute force method to break the encryption keys. It is not practical.

System Restore will not restore encrypted files.

The data is encrypted using AES-128 algorithm, which itself is a very strong one, and can’t be broken without a decryption key.
0
 

Author Comment

by:Member_2_7969421
ID: 41730509
Fair enough  what about a data recovery of the original lost file is there a way to recover the lost file?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41730513
The best I saw was $950 with no guarantee of recovery (although no payment if not recovered.

https://www.provendatarecovery.com/data-recovery-services/ransomware-data-recovery/?gclid=CPX9tMLLks4CFYWDaQodDuEHqA
0
 

Author Comment

by:Member_2_7969421
ID: 41730515
But no good program you're aware of?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41730521
You are not understanding. It takes YEARS to decrypt these things. The virus makers are criminals attempting to extort money from you for the key with ZERO assurance they will give you the key. The encryption algorithm is very very strong to prevent breaking it.
0
 

Author Comment

by:Member_2_7969421
ID: 41730536
No I understand what you're saying, but I'm asking if there is anyway to recover the original file that was deleted
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 51

Assisted Solution

by:Joe Winograd, EE MVE
Joe Winograd, EE MVE earned 125 total points
ID: 41730562
> recover the original file that was deleted

The original file was not deleted — it was encrypted. And as John has said numerous times, these very bad, but very smart, criminals use an encryption scheme that is, for all practical purposes, unbreakable with today's computers. If the bad guys did a poor encryption job, it's possible that the good guys will come up with a decryption scheme for it, but that's extremely unlikely, as the criminals, unfortunately, know what they're doing. If you do a web search for "zepto virus" you'll learn a lot about it — but I'd be very wary about clicking on any link that claims to have a decryption for it, unless it's from a reputable source. It's highly likely that the only way to recover the original files is from a backup that the virus did not encrypt — do you have such a backup? Regards, Joe
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41731001
I'm asking if there is anyway to recover the original file that was deleted

No. It was highly encrypted and not deleted. No practical way to get it back.
0
 
LVL 12

Expert Comment

by:Dustin Saunders
ID: 41731168
The short answer is, if the file isn't backed up somewhere then it's lost.

Even using a super computer to brute force encryption, it would take one billion billion years (that's 2 "billions").  Which is only slightly more than the age of the universe.
http://www.eetimes.com/document.asp?doc_id=1279619

In some cases, despite losing the file, some people are able to find copies or fairly recent copies in email attachments so you may want to check there.
2
 

Author Comment

by:Member_2_7969421
ID: 41731903
Okay, I apprechate everyones comments. I didn't realize how terrible these virus is. Dustin, you said there could be copies or fairly recent copies, what if they are things like a pst file for outlook? Any suggestion where i could possibly find such a file?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41731906
Anything encrypted is gone. You need a backup from a different computer.
0
 

Author Comment

by:Member_2_7969421
ID: 41731979
Understood, one of my other question is when a decryption is found by whatever the methodology is used (aka the good guys figure a way out) How long does a solution like that get distributed?
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 250 total points
ID: 41731984
There is no solution being distributed. This has NEVER happened. Why? Too many years to decrypt.

You are overdoing the questions.

The encrypted files are lost, there is no solution, you cannot get them back, you need to restore from backup.
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41731991
Unfortunately, John is correct and the files are lost.  The only time that it was reversible was when the police had raided the original cryptolocker ring and recovered the keys, which was distributed through a tool.  But this is the only incident and it was far too late to help most people.

By the email comment, if you have a PST and it's encrypted then it's lost.  But if your mail is IMAP or Exchange and you have emailed the important file as an attachment- you may be able to go online and re-download that file from an online email.

It sucks to get hit with Crypto, I do hope you have backups.  If it's consumer level problem and not for a business you may not, but there are very affordable options that you may consider to protect yourself from future problems.
0
 

Author Closing Comment

by:Member_2_7969421
ID: 41732021
I appreciate everyone's comments. Thank you for letting me know what I was worried about.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41732025
You are very welcome. Sorry about the files, and I do understand your issues
0
 
LVL 29

Expert Comment

by:Olaf Doschke
ID: 41732510
Let me try to summarize and straighten some things:

a) Encryptions are strong, so strong you can't expect decryption by brute force attacks to guess the encryption password/key/key combination. The only hope is someone can deduct the keys used from the code of the virus. Most probably it'll not simply use a predefined password but create a random one. If the author of the virus wants to bribe you he has to know a key to decrypt, but that's certainly not found in the code.

The essence of this is, forget to decrypt the files

b) Only a backup of files can bring them back. If you didn't do backups it's too late to start for this instance, but surely a good idea to start right away. A professional backup can also restore mails, it can handle pst growing large intelligently, but obviously you can't restore anything not backed up before the infection

c) If any file is writen or overwritten, a disc may not use the exact same blocks, so you might have unencrypted blocks of files. They are marked as free and reusable, but I don't know a software recreating files from such blocks, the only software I know is capable to recover deleted files, not overwritten files, this works as the deleted file still has it's entry in the table of contents of the file system and he blocks of the file can be found and put together to a new file. If there merely are unencrypted blocks of files it's hardly doable to put them together not knowing to which file they belonged. A virus author is clever enough hacking your system, it's unlikely he's too dumb to not reuse the same blocks and overwite them.

d) A system restore only restores the system, it is only concered with Windows, not with your data, mails, documents. Even a restore point would only rather restore some essential files of the system like the registry, hch for exmple contains the list of installed software (officially installed) as it was. A restore point is no full snapshot of hdds with anything on them, that would take much more space and creating a restore point woul also take much longer. That already can help straighten half installs, but not bring back files as they were at a certain point.

In the end, forget about getting back the files. Also use an extra backup software, you can't rely on what Windows has native in that regard. System restore is useful in case of defects you can at least get the system up again, restore points also are helpful, I could for example recently put back a PC to the state before installing Visual Studio as that installation did not complete and also couldn't be repaired, but all this restore point was restoring is mainly the registry and the knowledge of Windows about installed programs, that helped restarting the install, but it didn't bring back the hdd to where it was before.

The important thing is to have backups detached from your computer, in external backup media or external drives, so it's not reachable for a virus most of the time but at backups. For that matter you don't use a single and same drive for backups, as even backups can of course be encrypted or infected. It's also no protection to encrypt backups yourself, any file can be encrypted again with another password and then only put back to the initial encrypted state with that new password.

So the final and only solution to protect files is backups. Backups, backups, backups. And those then also need protection. Besides puptting them offline to protect agains viruses you better also store them in different locations to be protected against fire.

If you never thought about this it's time to start thinking about backups and a decent backup software.

Bye, Olaf.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now