Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Decrypting the Zepto Virus

Posted on 2016-07-26
21
Medium Priority
?
693 Views
Last Modified: 2016-07-28
Hi,
My computer was lucky enough to attain the .Zepto virus. I was able to remove the virus but I was too late and it has already encrypted some of the files. How do i deencrypt those files?
0
Comment
Question by:Member_2_7969421
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 2
  • +2
21 Comments
 
LVL 98

Expert Comment

by:John Hurst
ID: 41730473
You cannot. Forget it. It could take decades to brute force the encryption if at all.
0
 

Author Comment

by:Member_2_7969421
ID: 41730495
Okay how about one or two specific files?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41730497
Same thing. It takes forever to decrypt these things. It is not practical
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Member_2_7969421
ID: 41730498
Well maybe you can explain the process to decrypt. Or another way to work around the issue. I've tried system restore but it didn't work...
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41730499
Encryption requires a brute force method to break the encryption keys. It is not practical.

System Restore will not restore encrypted files.

The data is encrypted using AES-128 algorithm, which itself is a very strong one, and can’t be broken without a decryption key.
0
 

Author Comment

by:Member_2_7969421
ID: 41730509
Fair enough  what about a data recovery of the original lost file is there a way to recover the lost file?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41730513
The best I saw was $950 with no guarantee of recovery (although no payment if not recovered.

https://www.provendatarecovery.com/data-recovery-services/ransomware-data-recovery/?gclid=CPX9tMLLks4CFYWDaQodDuEHqA
0
 

Author Comment

by:Member_2_7969421
ID: 41730515
But no good program you're aware of?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41730521
You are not understanding. It takes YEARS to decrypt these things. The virus makers are criminals attempting to extort money from you for the key with ZERO assurance they will give you the key. The encryption algorithm is very very strong to prevent breaking it.
0
 

Author Comment

by:Member_2_7969421
ID: 41730536
No I understand what you're saying, but I'm asking if there is anyway to recover the original file that was deleted
0
 
LVL 55

Assisted Solution

by:Joe Winograd, EE MVE 2015&2016
Joe Winograd, EE MVE 2015&2016 earned 500 total points
ID: 41730562
> recover the original file that was deleted

The original file was not deleted — it was encrypted. And as John has said numerous times, these very bad, but very smart, criminals use an encryption scheme that is, for all practical purposes, unbreakable with today's computers. If the bad guys did a poor encryption job, it's possible that the good guys will come up with a decryption scheme for it, but that's extremely unlikely, as the criminals, unfortunately, know what they're doing. If you do a web search for "zepto virus" you'll learn a lot about it — but I'd be very wary about clicking on any link that claims to have a decryption for it, unless it's from a reputable source. It's highly likely that the only way to recover the original files is from a backup that the virus did not encrypt — do you have such a backup? Regards, Joe
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41731001
I'm asking if there is anyway to recover the original file that was deleted

No. It was highly encrypted and not deleted. No practical way to get it back.
0
 
LVL 13

Expert Comment

by:Dustin Saunders
ID: 41731168
The short answer is, if the file isn't backed up somewhere then it's lost.

Even using a super computer to brute force encryption, it would take one billion billion years (that's 2 "billions").  Which is only slightly more than the age of the universe.
http://www.eetimes.com/document.asp?doc_id=1279619

In some cases, despite losing the file, some people are able to find copies or fairly recent copies in email attachments so you may want to check there.
2
 

Author Comment

by:Member_2_7969421
ID: 41731903
Okay, I apprechate everyones comments. I didn't realize how terrible these virus is. Dustin, you said there could be copies or fairly recent copies, what if they are things like a pst file for outlook? Any suggestion where i could possibly find such a file?
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41731906
Anything encrypted is gone. You need a backup from a different computer.
0
 

Author Comment

by:Member_2_7969421
ID: 41731979
Understood, one of my other question is when a decryption is found by whatever the methodology is used (aka the good guys figure a way out) How long does a solution like that get distributed?
0
 
LVL 98

Accepted Solution

by:
John Hurst earned 1000 total points
ID: 41731984
There is no solution being distributed. This has NEVER happened. Why? Too many years to decrypt.

You are overdoing the questions.

The encrypted files are lost, there is no solution, you cannot get them back, you need to restore from backup.
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 500 total points
ID: 41731991
Unfortunately, John is correct and the files are lost.  The only time that it was reversible was when the police had raided the original cryptolocker ring and recovered the keys, which was distributed through a tool.  But this is the only incident and it was far too late to help most people.

By the email comment, if you have a PST and it's encrypted then it's lost.  But if your mail is IMAP or Exchange and you have emailed the important file as an attachment- you may be able to go online and re-download that file from an online email.

It sucks to get hit with Crypto, I do hope you have backups.  If it's consumer level problem and not for a business you may not, but there are very affordable options that you may consider to protect yourself from future problems.
0
 

Author Closing Comment

by:Member_2_7969421
ID: 41732021
I appreciate everyone's comments. Thank you for letting me know what I was worried about.
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41732025
You are very welcome. Sorry about the files, and I do understand your issues
0
 
LVL 30

Expert Comment

by:Olaf Doschke
ID: 41732510
Let me try to summarize and straighten some things:

a) Encryptions are strong, so strong you can't expect decryption by brute force attacks to guess the encryption password/key/key combination. The only hope is someone can deduct the keys used from the code of the virus. Most probably it'll not simply use a predefined password but create a random one. If the author of the virus wants to bribe you he has to know a key to decrypt, but that's certainly not found in the code.

The essence of this is, forget to decrypt the files

b) Only a backup of files can bring them back. If you didn't do backups it's too late to start for this instance, but surely a good idea to start right away. A professional backup can also restore mails, it can handle pst growing large intelligently, but obviously you can't restore anything not backed up before the infection

c) If any file is writen or overwritten, a disc may not use the exact same blocks, so you might have unencrypted blocks of files. They are marked as free and reusable, but I don't know a software recreating files from such blocks, the only software I know is capable to recover deleted files, not overwritten files, this works as the deleted file still has it's entry in the table of contents of the file system and he blocks of the file can be found and put together to a new file. If there merely are unencrypted blocks of files it's hardly doable to put them together not knowing to which file they belonged. A virus author is clever enough hacking your system, it's unlikely he's too dumb to not reuse the same blocks and overwite them.

d) A system restore only restores the system, it is only concered with Windows, not with your data, mails, documents. Even a restore point would only rather restore some essential files of the system like the registry, hch for exmple contains the list of installed software (officially installed) as it was. A restore point is no full snapshot of hdds with anything on them, that would take much more space and creating a restore point woul also take much longer. That already can help straighten half installs, but not bring back files as they were at a certain point.

In the end, forget about getting back the files. Also use an extra backup software, you can't rely on what Windows has native in that regard. System restore is useful in case of defects you can at least get the system up again, restore points also are helpful, I could for example recently put back a PC to the state before installing Visual Studio as that installation did not complete and also couldn't be repaired, but all this restore point was restoring is mainly the registry and the knowledge of Windows about installed programs, that helped restarting the install, but it didn't bring back the hdd to where it was before.

The important thing is to have backups detached from your computer, in external backup media or external drives, so it's not reachable for a virus most of the time but at backups. For that matter you don't use a single and same drive for backups, as even backups can of course be encrypted or infected. It's also no protection to encrypt backups yourself, any file can be encrypted again with another password and then only put back to the initial encrypted state with that new password.

So the final and only solution to protect files is backups. Backups, backups, backups. And those then also need protection. Besides puptting them offline to protect agains viruses you better also store them in different locations to be protected against fire.

If you never thought about this it's time to start thinking about backups and a decent backup software.

Bye, Olaf.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question