Revisit ransomware prevention & mitigation : Sharepoint, continuous backup, etc

Zepto is from the Locky ransomware family.

a) Ransomware can still access and carry out its task with unmapped network shares. It also target user My document folder and browser default folder where you saved the download. Ransomware tends to scavenge the whole HDD to execute it task to encrypt the targeted files. It doesnt really help once the ransomware is able to run in the infected machine.

b) Av should detect but it is not foolproof esp if the AV signature list is not updated or get a close hit to the new variant Ransomware and its evolved behaviour. But the point is Ransomware is the after effect of an exploited vulnerability or a successful run of some embedded script or email attachment that is initiated by the social engineered victim

We observed through dynamic analysis that it uses the same technique of Locky ransomware to decode the main payload, spawning the process through wScript with the argument ‘321’, otherwise, the decryption routine will produce junk code and the execution flow will jump into that junk code and crash the process.

The encrypted files have the “.zepto” extensions and it targets the same extensions files of Locky taking care of the system files, it uses a lot of code of Locky ransomware to implement its malicious behaviors.
One of the smartest features of the ransomware is the fact they do not encrypt all the files needed for the correct functioning of the OS, otherwise, how can the victims pay?

c) IOC finder from Mandiant may help but only for that snapshot of the Locky found infesting the public and published into AV signature. Otherwise, the minimal check to do is still to scan for the ransom note files (e.g. (_HELP_instructions.jpg) and one html page (_HELP_instructions.html) ), the file extension of .zepto both at file system and registry. See also RansomNoteCleaner for a clean up

When RansomNoteCleaner is first launched, it will contact the ID Ransomware web site and retrieve the latest information on known ransom notes. Other than this intitial update of its definitions, RansomNoteCleaner will not perform any other network connections and no information about your system is uploaded to their servers. If you have a network issue with reaching the website, you can use the Refresh Network button to try again.
 
To select the ransomware whose ransom notes you wish to scan for, you can click on the Select Ransomware(s) button and select the specific ransomware. This is recommended if you have already identified the ransomware, as otherwise it will take much less time to search for the notes.

Once the ransomware variant(s) have been confirmed, you can click on the Search for Ransom Notes button to select a directory (or whole drive), and start the search for known ransom notes.  If you wish to clean an entire drive, you should select a specific drive letter.

http://www.bleepingcomputer.com/download/ransomnotecleaner/

d)If the machine is infected, the restoration need to be in separate machine and not restore back to the same infected machine. Check out Acronis Universal Restore that is included free with all, Acronis Backup & Acronis Backup Advanced products. I see it more of recovery of the whole system instead of just files for instant recovery for the victim

Universal Restore is extremely useful in the following scenarios:
1. Instant recovery of a failed system on different hardware.
2. Hardware-independent cloning and deployment of operating systems.
3. Physical-to-physical, physical-to-virtual and virtual-to-physical machine migration.

(pdf) http://www.acronis.com/en-sg/download/docs/aur/userguide/

Or you can explore Acronis  Monitoring Service which is a SaaS-based monitoring tool for cloud and on-premises infrastructures. It combines true ease-of-deployment and a robust feature set for server, network and web services monitoring, alerting, and data presentation.  http://www.acronis.com/en-us/business/monitoring-service/