Solved

Zepto Ransomware - Decrypt/Restore files

Posted on 2016-09-02
5
261 Views
Last Modified: 2016-09-05
Hi, one of my home machines was attached by zepto ransomware.  
Device is a Lenovo laptop running Windows 10, 64-bit & MS Office 2013.

Several of my work files, especially Word documents and Excel spreadsheets and other such items were transformed/encrypted in XXXX.zepto files.

I would really like to
1) get some insight and working info/instruction in order to restore or decrypt or restore my files as soon as possible
2) get rid of the ransomware

I am aware that I can run ShadowExplorer or any other file restore program to try to get some of my files back and then run malware removal tools that work with this ransomware and try to restore to a previous restore point.  I am looking for anything additional to this or a solution that has worked for someone else.

Thank you!
0
Comment
Question by:xtermie
5 Comments
 
LVL 88

Accepted Solution

by:
rindi earned 400 total points
ID: 41781336
Ransomeware normally deletes any restore points or shadow copies, so trying to recover files that way won't work.

By far the best and quickest way of getting rid of viruses and malware is to install the OS again from scratch, or from a backup you made of the system before the virus was gotten. First, if there is one virus, it is likely that you also have others, and finding them, then removing them, takes a lot of work and time, and in the end you can never be 100% sure you cleaned off everything.

When you setup your new OS, make sure you create an account with standard rights, along with an account that has admin rights. Only use the standard account when using the PC. If anything requires Admin rights, UAC will ask you to enter the admin credentials. This will make it more likely that you get warned in time before you execute something that may be malicious. Also disable Macros in Office. Most ransomware gets executed via m$ Office macros. Make sure you have installed a good AV tool like Panda free AV, and that your system is always fully patched. Don't open email attachments from unknown people and from known trusted ones only when you are expecting an attachment from them. Be careful with websites. Only visit those you trust. Make regular backups, and make sure you do that to more than one location and remove the backup device from the PC after the backup has finished.

Your encrypted files can only be recovered from existing backups. If you don't have a backup they are lost.
2
 
LVL 14

Expert Comment

by:William Fulks
ID: 41781530
Unless you pay the ransom, as there should be an instruction file in the folder with the encrypted files, you cannot decrypt them. Hopefully you had backups of your data. If not, you can either pay the ransom or consider them lost.

At my work we've been hit twice by the same guy who was checking his personal email account and opening file attachments that he should not have. He has Symantec Endpoint on his PC and it caught the ransomware as it was running, meaning it did quite a bit of damage before the AV software recognized it and shut the process down.

The first line of defense here is education. Learn to recognize suspicious emails, especially with file attachments, and simply don't open them.
2
 
LVL 18

Expert Comment

by:web_tracker
ID: 41783860
Hopefully you back up your data else where then on the local harddrive, otherwise the data is gone, there is no way to recover the encrypted files, I do not recommend paying the ransom because sometimes you may get the key to encrypt the files and some times you will not.... Also paying the ransom just encourages the criminals to keep making their malware to infect more systems. In the future as mentioned do not open email attachments especially from some one whom you don't know or even from someone you do know but are not expecting an email with an attachment. Some time viruses can be sent to everyone in your address book, so the receiver thinks they are receiving an email from you and the click on the attachment and end up infecting their own computer. When you reinstall your operating system make sure you install software that will detect ransomware  before it has the ability to run and encrypt the files. Rindi above had excellent comments for this issue follow the rest of his advice.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 100 total points
ID: 41784499
Most ransomware is typically programmed to automatically remove itself after the encrypting is done since they are no longer needed.  Only one thing that's a guaranteed fix - good backups

LINK1
LINK2
LINK3
0
 
LVL 18

Author Closing Comment

by:xtermie
ID: 41784610
thank you guys...i got some files back with Shadow explorer and then restored to a previous backup
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question