Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 702
  • Last Modified:

Decrypting the Zepto Virus

Hi,
My computer was lucky enough to attain the .Zepto virus. I was able to remove the virus but I was too late and it has already encrypted some of the files. How do i deencrypt those files?
0
Member_2_7969421
Asked:
Member_2_7969421
  • 9
  • 8
  • 2
  • +2
3 Solutions
 
John HurstBusiness Consultant (Owner)Commented:
You cannot. Forget it. It could take decades to brute force the encryption if at all.
0
 
Member_2_7969421Author Commented:
Okay how about one or two specific files?
0
 
John HurstBusiness Consultant (Owner)Commented:
Same thing. It takes forever to decrypt these things. It is not practical
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Member_2_7969421Author Commented:
Well maybe you can explain the process to decrypt. Or another way to work around the issue. I've tried system restore but it didn't work...
0
 
John HurstBusiness Consultant (Owner)Commented:
Encryption requires a brute force method to break the encryption keys. It is not practical.

System Restore will not restore encrypted files.

The data is encrypted using AES-128 algorithm, which itself is a very strong one, and can’t be broken without a decryption key.
0
 
Member_2_7969421Author Commented:
Fair enough  what about a data recovery of the original lost file is there a way to recover the lost file?
0
 
John HurstBusiness Consultant (Owner)Commented:
The best I saw was $950 with no guarantee of recovery (although no payment if not recovered.

https://www.provendatarecovery.com/data-recovery-services/ransomware-data-recovery/?gclid=CPX9tMLLks4CFYWDaQodDuEHqA
0
 
Member_2_7969421Author Commented:
But no good program you're aware of?
0
 
John HurstBusiness Consultant (Owner)Commented:
You are not understanding. It takes YEARS to decrypt these things. The virus makers are criminals attempting to extort money from you for the key with ZERO assurance they will give you the key. The encryption algorithm is very very strong to prevent breaking it.
0
 
Member_2_7969421Author Commented:
No I understand what you're saying, but I'm asking if there is anyway to recover the original file that was deleted
0
 
Joe Winograd, EE MVE 2015&2016DeveloperCommented:
> recover the original file that was deleted

The original file was not deleted — it was encrypted. And as John has said numerous times, these very bad, but very smart, criminals use an encryption scheme that is, for all practical purposes, unbreakable with today's computers. If the bad guys did a poor encryption job, it's possible that the good guys will come up with a decryption scheme for it, but that's extremely unlikely, as the criminals, unfortunately, know what they're doing. If you do a web search for "zepto virus" you'll learn a lot about it — but I'd be very wary about clicking on any link that claims to have a decryption for it, unless it's from a reputable source. It's highly likely that the only way to recover the original files is from a backup that the virus did not encrypt — do you have such a backup? Regards, Joe
0
 
John HurstBusiness Consultant (Owner)Commented:
I'm asking if there is anyway to recover the original file that was deleted

No. It was highly encrypted and not deleted. No practical way to get it back.
0
 
Dustin SaundersDirector of OperationsCommented:
The short answer is, if the file isn't backed up somewhere then it's lost.

Even using a super computer to brute force encryption, it would take one billion billion years (that's 2 "billions").  Which is only slightly more than the age of the universe.
http://www.eetimes.com/document.asp?doc_id=1279619

In some cases, despite losing the file, some people are able to find copies or fairly recent copies in email attachments so you may want to check there.
2
 
Member_2_7969421Author Commented:
Okay, I apprechate everyones comments. I didn't realize how terrible these virus is. Dustin, you said there could be copies or fairly recent copies, what if they are things like a pst file for outlook? Any suggestion where i could possibly find such a file?
0
 
John HurstBusiness Consultant (Owner)Commented:
Anything encrypted is gone. You need a backup from a different computer.
0
 
Member_2_7969421Author Commented:
Understood, one of my other question is when a decryption is found by whatever the methodology is used (aka the good guys figure a way out) How long does a solution like that get distributed?
0
 
John HurstBusiness Consultant (Owner)Commented:
There is no solution being distributed. This has NEVER happened. Why? Too many years to decrypt.

You are overdoing the questions.

The encrypted files are lost, there is no solution, you cannot get them back, you need to restore from backup.
0
 
Dustin SaundersDirector of OperationsCommented:
Unfortunately, John is correct and the files are lost.  The only time that it was reversible was when the police had raided the original cryptolocker ring and recovered the keys, which was distributed through a tool.  But this is the only incident and it was far too late to help most people.

By the email comment, if you have a PST and it's encrypted then it's lost.  But if your mail is IMAP or Exchange and you have emailed the important file as an attachment- you may be able to go online and re-download that file from an online email.

It sucks to get hit with Crypto, I do hope you have backups.  If it's consumer level problem and not for a business you may not, but there are very affordable options that you may consider to protect yourself from future problems.
0
 
Member_2_7969421Author Commented:
I appreciate everyone's comments. Thank you for letting me know what I was worried about.
0
 
John HurstBusiness Consultant (Owner)Commented:
You are very welcome. Sorry about the files, and I do understand your issues
0
 
Olaf DoschkeSoftware DeveloperCommented:
Let me try to summarize and straighten some things:

a) Encryptions are strong, so strong you can't expect decryption by brute force attacks to guess the encryption password/key/key combination. The only hope is someone can deduct the keys used from the code of the virus. Most probably it'll not simply use a predefined password but create a random one. If the author of the virus wants to bribe you he has to know a key to decrypt, but that's certainly not found in the code.

The essence of this is, forget to decrypt the files

b) Only a backup of files can bring them back. If you didn't do backups it's too late to start for this instance, but surely a good idea to start right away. A professional backup can also restore mails, it can handle pst growing large intelligently, but obviously you can't restore anything not backed up before the infection

c) If any file is writen or overwritten, a disc may not use the exact same blocks, so you might have unencrypted blocks of files. They are marked as free and reusable, but I don't know a software recreating files from such blocks, the only software I know is capable to recover deleted files, not overwritten files, this works as the deleted file still has it's entry in the table of contents of the file system and he blocks of the file can be found and put together to a new file. If there merely are unencrypted blocks of files it's hardly doable to put them together not knowing to which file they belonged. A virus author is clever enough hacking your system, it's unlikely he's too dumb to not reuse the same blocks and overwite them.

d) A system restore only restores the system, it is only concered with Windows, not with your data, mails, documents. Even a restore point would only rather restore some essential files of the system like the registry, hch for exmple contains the list of installed software (officially installed) as it was. A restore point is no full snapshot of hdds with anything on them, that would take much more space and creating a restore point woul also take much longer. That already can help straighten half installs, but not bring back files as they were at a certain point.

In the end, forget about getting back the files. Also use an extra backup software, you can't rely on what Windows has native in that regard. System restore is useful in case of defects you can at least get the system up again, restore points also are helpful, I could for example recently put back a PC to the state before installing Visual Studio as that installation did not complete and also couldn't be repaired, but all this restore point was restoring is mainly the registry and the knowledge of Windows about installed programs, that helped restarting the install, but it didn't bring back the hdd to where it was before.

The important thing is to have backups detached from your computer, in external backup media or external drives, so it's not reachable for a virus most of the time but at backups. For that matter you don't use a single and same drive for backups, as even backups can of course be encrypted or infected. It's also no protection to encrypt backups yourself, any file can be encrypted again with another password and then only put back to the initial encrypted state with that new password.

So the final and only solution to protect files is backups. Backups, backups, backups. And those then also need protection. Besides puptting them offline to protect agains viruses you better also store them in different locations to be protected against fire.

If you never thought about this it's time to start thinking about backups and a decent backup software.

Bye, Olaf.
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 9
  • 8
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now