Solved

Zepto Ransomware - Decrypt/Restore files

Posted on 2016-09-02
5
225 Views
Last Modified: 2016-09-05
Hi, one of my home machines was attached by zepto ransomware.  
Device is a Lenovo laptop running Windows 10, 64-bit & MS Office 2013.

Several of my work files, especially Word documents and Excel spreadsheets and other such items were transformed/encrypted in XXXX.zepto files.

I would really like to
1) get some insight and working info/instruction in order to restore or decrypt or restore my files as soon as possible
2) get rid of the ransomware

I am aware that I can run ShadowExplorer or any other file restore program to try to get some of my files back and then run malware removal tools that work with this ransomware and try to restore to a previous restore point.  I am looking for anything additional to this or a solution that has worked for someone else.

Thank you!
0
Comment
Question by:xtermie
5 Comments
 
LVL 87

Accepted Solution

by:
rindi earned 400 total points
Comment Utility
Ransomeware normally deletes any restore points or shadow copies, so trying to recover files that way won't work.

By far the best and quickest way of getting rid of viruses and malware is to install the OS again from scratch, or from a backup you made of the system before the virus was gotten. First, if there is one virus, it is likely that you also have others, and finding them, then removing them, takes a lot of work and time, and in the end you can never be 100% sure you cleaned off everything.

When you setup your new OS, make sure you create an account with standard rights, along with an account that has admin rights. Only use the standard account when using the PC. If anything requires Admin rights, UAC will ask you to enter the admin credentials. This will make it more likely that you get warned in time before you execute something that may be malicious. Also disable Macros in Office. Most ransomware gets executed via m$ Office macros. Make sure you have installed a good AV tool like Panda free AV, and that your system is always fully patched. Don't open email attachments from unknown people and from known trusted ones only when you are expecting an attachment from them. Be careful with websites. Only visit those you trust. Make regular backups, and make sure you do that to more than one location and remove the backup device from the PC after the backup has finished.

Your encrypted files can only be recovered from existing backups. If you don't have a backup they are lost.
2
 
LVL 13

Expert Comment

by:William Fulks
Comment Utility
Unless you pay the ransom, as there should be an instruction file in the folder with the encrypted files, you cannot decrypt them. Hopefully you had backups of your data. If not, you can either pay the ransom or consider them lost.

At my work we've been hit twice by the same guy who was checking his personal email account and opening file attachments that he should not have. He has Symantec Endpoint on his PC and it caught the ransomware as it was running, meaning it did quite a bit of damage before the AV software recognized it and shut the process down.

The first line of defense here is education. Learn to recognize suspicious emails, especially with file attachments, and simply don't open them.
2
 
LVL 18

Expert Comment

by:web_tracker
Comment Utility
Hopefully you back up your data else where then on the local harddrive, otherwise the data is gone, there is no way to recover the encrypted files, I do not recommend paying the ransom because sometimes you may get the key to encrypt the files and some times you will not.... Also paying the ransom just encourages the criminals to keep making their malware to infect more systems. In the future as mentioned do not open email attachments especially from some one whom you don't know or even from someone you do know but are not expecting an email with an attachment. Some time viruses can be sent to everyone in your address book, so the receiver thinks they are receiving an email from you and the click on the attachment and end up infecting their own computer. When you reinstall your operating system make sure you install software that will detect ransomware  before it has the ability to run and encrypt the files. Rindi above had excellent comments for this issue follow the rest of his advice.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 100 total points
Comment Utility
Most ransomware is typically programmed to automatically remove itself after the encrypting is done since they are no longer needed.  Only one thing that's a guaranteed fix - good backups

LINK1
LINK2
LINK3
0
 
LVL 17

Author Closing Comment

by:xtermie
Comment Utility
thank you guys...i got some files back with Shadow explorer and then restored to a previous backup
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now