asked on
Decrypting the Zepto Virus
Hi,
My computer was lucky enough to attain the .Zepto virus. I was able to remove the virus but I was too late and it has already encrypted some of the files. How do i deencrypt those files?
My computer was lucky enough to attain the .Zepto virus. I was able to remove the virus but I was too late and it has already encrypted some of the files. How do i deencrypt those files?
Windows XPWindows OSEncryption
Last Comment
Olaf Doschke
You cannot. Forget it. It could take decades to brute force the encryption if at all.
ASKER
Okay how about one or two specific files?
Same thing. It takes forever to decrypt these things. It is not practical
ASKER
Well maybe you can explain the process to decrypt. Or another way to work around the issue. I've tried system restore but it didn't work...
Encryption requires a brute force method to break the encryption keys. It is not practical.
System Restore will not restore encrypted files.
The data is encrypted using AES-128 algorithm, which itself is a very strong one, and can’t be broken without a decryption key.
System Restore will not restore encrypted files.
The data is encrypted using AES-128 algorithm, which itself is a very strong one, and can’t be broken without a decryption key.
ASKER
Fair enough what about a data recovery of the original lost file is there a way to recover the lost file?
The best I saw was $950 with no guarantee of recovery (although no payment if not recovered.
https://www.provendatarecovery.com/data-recovery-services/ransomware-data-recovery/?gclid=CPX9tMLLks4CFYWDaQodDuEHqA
https://www.provendatarecovery.com/data-recovery-services/ransomware-data-recovery/?gclid=CPX9tMLLks4CFYWDaQodDuEHqA
ASKER
But no good program you're aware of?
You are not understanding. It takes YEARS to decrypt these things. The virus makers are criminals attempting to extort money from you for the key with ZERO assurance they will give you the key. The encryption algorithm is very very strong to prevent breaking it.
ASKER
No I understand what you're saying, but I'm asking if there is anyway to recover the original file that was deleted
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I'm asking if there is anyway to recover the original file that was deleted
No. It was highly encrypted and not deleted. No practical way to get it back.
No. It was highly encrypted and not deleted. No practical way to get it back.
The short answer is, if the file isn't backed up somewhere then it's lost.
Even using a super computer to brute force encryption, it would take one billion billion years (that's 2 "billions"). Which is only slightly more than the age of the universe.
http://www.eetimes.com/document.asp?doc_id=1279619
In some cases, despite losing the file, some people are able to find copies or fairly recent copies in email attachments so you may want to check there.
Even using a super computer to brute force encryption, it would take one billion billion years (that's 2 "billions"). Which is only slightly more than the age of the universe.
http://www.eetimes.com/document.asp?doc_id=1279619
In some cases, despite losing the file, some people are able to find copies or fairly recent copies in email attachments so you may want to check there.
ASKER
Okay, I apprechate everyones comments. I didn't realize how terrible these virus is. Dustin, you said there could be copies or fairly recent copies, what if they are things like a pst file for outlook? Any suggestion where i could possibly find such a file?
Anything encrypted is gone. You need a backup from a different computer.
ASKER
Understood, one of my other question is when a decryption is found by whatever the methodology is used (aka the good guys figure a way out) How long does a solution like that get distributed?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I appreciate everyone's comments. Thank you for letting me know what I was worried about.
You are very welcome. Sorry about the files, and I do understand your issues
Let me try to summarize and straighten some things:
a) Encryptions are strong, so strong you can't expect decryption by brute force attacks to guess the encryption password/key/key combination. The only hope is someone can deduct the keys used from the code of the virus. Most probably it'll not simply use a predefined password but create a random one. If the author of the virus wants to bribe you he has to know a key to decrypt, but that's certainly not found in the code.
The essence of this is, forget to decrypt the files
b) Only a backup of files can bring them back. If you didn't do backups it's too late to start for this instance, but surely a good idea to start right away. A professional backup can also restore mails, it can handle pst growing large intelligently, but obviously you can't restore anything not backed up before the infection
c) If any file is writen or overwritten, a disc may not use the exact same blocks, so you might have unencrypted blocks of files. They are marked as free and reusable, but I don't know a software recreating files from such blocks, the only software I know is capable to recover deleted files, not overwritten files, this works as the deleted file still has it's entry in the table of contents of the file system and he blocks of the file can be found and put together to a new file. If there merely are unencrypted blocks of files it's hardly doable to put them together not knowing to which file they belonged. A virus author is clever enough hacking your system, it's unlikely he's too dumb to not reuse the same blocks and overwite them.
d) A system restore only restores the system, it is only concered with Windows, not with your data, mails, documents. Even a restore point would only rather restore some essential files of the system like the registry, hch for exmple contains the list of installed software (officially installed) as it was. A restore point is no full snapshot of hdds with anything on them, that would take much more space and creating a restore point woul also take much longer. That already can help straighten half installs, but not bring back files as they were at a certain point.
In the end, forget about getting back the files. Also use an extra backup software, you can't rely on what Windows has native in that regard. System restore is useful in case of defects you can at least get the system up again, restore points also are helpful, I could for example recently put back a PC to the state before installing Visual Studio as that installation did not complete and also couldn't be repaired, but all this restore point was restoring is mainly the registry and the knowledge of Windows about installed programs, that helped restarting the install, but it didn't bring back the hdd to where it was before.
The important thing is to have backups detached from your computer, in external backup media or external drives, so it's not reachable for a virus most of the time but at backups. For that matter you don't use a single and same drive for backups, as even backups can of course be encrypted or infected. It's also no protection to encrypt backups yourself, any file can be encrypted again with another password and then only put back to the initial encrypted state with that new password.
So the final and only solution to protect files is backups. Backups, backups, backups. And those then also need protection. Besides puptting them offline to protect agains viruses you better also store them in different locations to be protected against fire.
If you never thought about this it's time to start thinking about backups and a decent backup software.
Bye, Olaf.
a) Encryptions are strong, so strong you can't expect decryption by brute force attacks to guess the encryption password/key/key combination. The only hope is someone can deduct the keys used from the code of the virus. Most probably it'll not simply use a predefined password but create a random one. If the author of the virus wants to bribe you he has to know a key to decrypt, but that's certainly not found in the code.
The essence of this is, forget to decrypt the files
b) Only a backup of files can bring them back. If you didn't do backups it's too late to start for this instance, but surely a good idea to start right away. A professional backup can also restore mails, it can handle pst growing large intelligently, but obviously you can't restore anything not backed up before the infection
c) If any file is writen or overwritten, a disc may not use the exact same blocks, so you might have unencrypted blocks of files. They are marked as free and reusable, but I don't know a software recreating files from such blocks, the only software I know is capable to recover deleted files, not overwritten files, this works as the deleted file still has it's entry in the table of contents of the file system and he blocks of the file can be found and put together to a new file. If there merely are unencrypted blocks of files it's hardly doable to put them together not knowing to which file they belonged. A virus author is clever enough hacking your system, it's unlikely he's too dumb to not reuse the same blocks and overwite them.
d) A system restore only restores the system, it is only concered with Windows, not with your data, mails, documents. Even a restore point would only rather restore some essential files of the system like the registry, hch for exmple contains the list of installed software (officially installed) as it was. A restore point is no full snapshot of hdds with anything on them, that would take much more space and creating a restore point woul also take much longer. That already can help straighten half installs, but not bring back files as they were at a certain point.
In the end, forget about getting back the files. Also use an extra backup software, you can't rely on what Windows has native in that regard. System restore is useful in case of defects you can at least get the system up again, restore points also are helpful, I could for example recently put back a PC to the state before installing Visual Studio as that installation did not complete and also couldn't be repaired, but all this restore point was restoring is mainly the registry and the knowledge of Windows about installed programs, that helped restarting the install, but it didn't bring back the hdd to where it was before.
The important thing is to have backups detached from your computer, in external backup media or external drives, so it's not reachable for a virus most of the time but at backups. For that matter you don't use a single and same drive for backups, as even backups can of course be encrypted or infected. It's also no protection to encrypt backups yourself, any file can be encrypted again with another password and then only put back to the initial encrypted state with that new password.
So the final and only solution to protect files is backups. Backups, backups, backups. And those then also need protection. Besides puptting them offline to protect agains viruses you better also store them in different locations to be protected against fire.
If you never thought about this it's time to start thinking about backups and a decent backup software.
Bye, Olaf.