Solved

Anyone paid a Zepto/Locky ransom?

Posted on 2016-08-05
10
397 Views
Last Modified: 2016-09-18
New customer's network shares are all encrypted with the Zepto ransomware after someone opened an email attachment as per normal delivery method.  Their last IT company didn't set up email alerts for failed backups and its failed for the last month. No shadow copies etc, so they want to pay the ransom. I've told them not to open the html page yet so don't know how much it will be. I know all about prevention and backups etc but in this case they will lose a lot of data. I've also advised strongly that there's no guarantee that paying will work.
Has anyone actually paid the ransom and successfully unencrypted files?
0
Comment
Question by:Ace-IT
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 62

Expert Comment

by:btan
ID: 41743989
I have heard other experience that paying but failed to provide the key as promised. That is for other Ransomware and in healthcare industry.

In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files.
http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#ransom

The general advice is not to pay the ransom. By sending your money to cybercriminals you’ll only confirm that ransomware works, and there’s no guarantee you’ll get the decryption key you need in return.
0
 
LVL 1

Author Comment

by:Ace-IT
ID: 41744088
Sorry but I'm not sure if you're saying that you've "had" or "heard about" an experience where you/they paid for another ransomware product and didn't get the key?

I'm hoping to hear from someone with first hand experience of paying.  I definitely do not want to encourage paying but in this case they will lose a month of data and I have to provide them with all their options.
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 41744179
Pardon me - I encountered but did not go for payment as it is not guarantee and some of my peers did not even manage to run the tools even when receiving it  
http://www.bleepingcomputer.com/news/security/ultracrypter-not-providing-decryption-keys-after-payment-launches-help-desk/
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 250 total points
ID: 41744202
I have not been affected so never paid anything.

In here (EE) roughly 1/2 get their files back and 1/2 do not get their files back after paying.

I saw one post in here where a company paid $17,000 and got their files back. That is more expensive than providing a good backup facility.
0
 
LVL 62

Expert Comment

by:btan
ID: 41744230
Just to share one instance after paying and not all files gotten decrypted
We got the decrypting software and ran it from the infected PC. It decrypted many files ... but not all
 We re-ran the software many times but it does not seem to matter: still many files stay encrypted
https://www.experts-exchange.com/questions/28950956/Cryptolocker-paid-the-ransom-got-the-software-does-not-decrypt-ALL-the-files.html
0
 
LVL 1

Author Closing Comment

by:Ace-IT
ID: 41745404
Thanks guys. I'll be able to tell them now that it's a hit and miss option and more likely not recommended.
0
 
LVL 92

Expert Comment

by:John Hurst
ID: 41745410
Thanks for the update and I was happy to help.
0
 
LVL 62

Expert Comment

by:btan
ID: 41745416
Thanks for sharing.
0
 

Expert Comment

by:sucurity dude
ID: 41804223
Hi,
Wondering if there's an update on this? did they pay? did they get the files back?
Thanks!!
0
 
LVL 1

Author Comment

by:Ace-IT
ID: 41804250
They didn't pay the ransom and we restored from the last successful backup of over a month ago.
They're lucky to get anything as the last place set up ShadowProtect with 15 min incrementals and didn't install Image Manager!  Over 3k of backup images in a corrupted chain that we somehow managed to repair and mount.  Some places shouldn't be allowed in this industry.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Employees depend heavily on their PCs, and new threats like ransomware make it even more critical to protect their important data.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now