Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Zapto ransomware virus

Posted on 2016-08-11
12
Medium Priority
?
69 Views
Last Modified: 2016-08-31
Hi my pc and server got infected by zapto ransomware virus
Please advice how can I clean it .
0
Comment
Question by:sanjeevkmrs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +4
12 Comments
 
LVL 5

Assisted Solution

by:Laroy Shtotland
Laroy Shtotland earned 400 total points (awarded by participants)
ID: 41752072
Try https://noransom.kaspersky.com/ RannohDecryptor tool
0
 
LVL 98

Assisted Solution

by:John Hurst
John Hurst earned 400 total points (awarded by participants)
ID: 41752086
Clean up your computer with your own anti virus and also with Malwarebytes.

The documents are gone and you must restore from backup.
0
 

Author Comment

by:sanjeevkmrs
ID: 41752121
Currently I have shit down all pc's , and my network also off.
I am afraid if I again switch on my server or network it may again start encrypting files .
Please advice what should I do .
Hope this encryption does not effect exchange or Sal database ?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 4

Assisted Solution

by:Alexandre Michel
Alexandre Michel earned 400 total points (awarded by participants)
ID: 41752123
Sanjee

I am sorry to hear you got infected with this cr@pware
Unfortunately, there are only 2 solutions
1. As John stated, restore from backup
2. Pay the ransom money and (most probably) get (most of) your data back
3. Possibly (but unlikely) if the hacker made a programming error, find a tool online to restore your data anyway. Have a look at this site https://id-ransomware.malwarehunterteam.com/ 

As you probably know, paying a ransom is encouraging these !@#$% hackers to do it to other people,; so it should never be done. However, when this is your only solution ... you might not have any other options

Now when you have recovered your data, remember to use the 3-2-1 backup rule

Have at least three copies of your data.
Store the copies on two different media.
Keep one backup copy offsite.
0
 
LVL 32

Assisted Solution

by:Scott C
Scott C earned 400 total points (awarded by participants)
ID: 41752129
You can boot the computers from a cd/dvd and then clean the drives.

Ultimate boot CD is a good place to start.

http://www.ultimatebootcd.com/download.html

When you boot from this and do your cleaning, the ransomware won't have an opportunity to run.

What kind of backups do you have?  You could always do a bare-metal restore of a backup before you were infected.
0
 

Author Comment

by:sanjeevkmrs
ID: 41752138
Although not too much files got effected as I have already put my whole network and pc's off
I am afraid if I open my pc's or servers on again this encryption should not start again.
What should I do to stop this encryption happening again
Please advice
0
 
LVL 98

Expert Comment

by:John Hurst
ID: 41752162
What should I do to stop this encryption happening again  

This is primarily (80 - 90%) user education.

1. Do not open emails from strange sources - delete them immediately.
2. Do not go to dodgy websites (gambling, porn, hacking, etc.).
0
 
LVL 65

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
ID: 41752171
Good it is isolated on the infected system from the network. I believed you are referring to a variant of Locky ransomware that encrypt files and appended them with ".Zepto" Extension. Unfortunately, it is not currently possible decrypt Locky encrypted files for free.

http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/

I suggest those infected machine do a clean up by rebuilding the machine image - I going more on err on the safe side those AV has signature to remove these ransomware but the question is the real threat is the carrier of the ransomware which can be exploit kit or other malware delivered from compromised website, infected USB, phishing email and its attachment etc.

The data recovery is really from the backup and I strongly recommend not to pay ransom as it is also no guarantee that the attacker fulfill and give you back a working decryption tool or correct key from that matters.  

There are guidelines to deter such recurrence with
- removal of admin rights (go user based where possible)
- application whitelisting like use of Applocker or Cryptoprevent
- run on top of ant-malware other anti-ransomware aware software such as MalwareBytes Anti Ransomware, Emsisoft Anti-Malware or WinAntiRansom
- disable autorun and block USB or unnecessary service (ftp, cloud svc) and interface (USB, wifi etc)

Go for what is needed in the machine - least privileged access.

More details - see http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help#prevent

Check out "NoMoreRansom" project on preventive and its "Crypto Sheriff" as well -
https://www.nomoreransom.org/crypto-sheriff.php
https://www.nomoreransom.org/prevention-advice.html
0
 
LVL 18

Expert Comment

by:web_tracker
ID: 41753298
as previously stated, do not boot up the computers to the native windows, but boot the computer up with a CD such as the ultimate boot disc. Click here to download the latest version http://mirror.sysadminguide.net/ubcd/ubcd535.iso create a bootable usb stick or create a cd and boot the computers with this media, Then run malware clean up tools from the ultimate boot disc... to clean up the system. Once the app is removed it cant continue to encrypt the drives when you boot them up again.
0
 

Author Comment

by:sanjeevkmrs
ID: 41753779
how should i do registry clean in my server sbs 2011 standard , to make it sure it will not affact  any more files and safe
please advice
0
 
LVL 65

Expert Comment

by:btan
ID: 41753856
If it is pertaining to variant Locky as tested in the idransom or sheriff shared, likely you see the registry entries on below

HKCU\Software\[random]
HKCU\Software\Locky
HKCU\Software\Locky\id
HKCU\Software\Locky\pubkey      
HKCU\Software\Locky\paytext
HKCU\Software\Locky\completed

http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question