Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Zepto Ransomware - Decrypt/Restore files

Hi, one of my home machines was attached by zepto ransomware.  
Device is a Lenovo laptop running Windows 10, 64-bit & MS Office 2013.

Several of my work files, especially Word documents and Excel spreadsheets and other such items were transformed/encrypted in XXXX.zepto files.

I would really like to
1) get some insight and working info/instruction in order to restore or decrypt or restore my files as soon as possible
2) get rid of the ransomware

I am aware that I can run ShadowExplorer or any other file restore program to try to get some of my files back and then run malware removal tools that work with this ransomware and try to restore to a previous restore point.  I am looking for anything additional to this or a solution that has worked for someone else.

Thank you!
0
xtermie
Asked:
xtermie
2 Solutions
 
rindiCommented:
Ransomeware normally deletes any restore points or shadow copies, so trying to recover files that way won't work.

By far the best and quickest way of getting rid of viruses and malware is to install the OS again from scratch, or from a backup you made of the system before the virus was gotten. First, if there is one virus, it is likely that you also have others, and finding them, then removing them, takes a lot of work and time, and in the end you can never be 100% sure you cleaned off everything.

When you setup your new OS, make sure you create an account with standard rights, along with an account that has admin rights. Only use the standard account when using the PC. If anything requires Admin rights, UAC will ask you to enter the admin credentials. This will make it more likely that you get warned in time before you execute something that may be malicious. Also disable Macros in Office. Most ransomware gets executed via m$ Office macros. Make sure you have installed a good AV tool like Panda free AV, and that your system is always fully patched. Don't open email attachments from unknown people and from known trusted ones only when you are expecting an attachment from them. Be careful with websites. Only visit those you trust. Make regular backups, and make sure you do that to more than one location and remove the backup device from the PC after the backup has finished.

Your encrypted files can only be recovered from existing backups. If you don't have a backup they are lost.
2
 
William FulksSystems Analyst & WebmasterCommented:
Unless you pay the ransom, as there should be an instruction file in the folder with the encrypted files, you cannot decrypt them. Hopefully you had backups of your data. If not, you can either pay the ransom or consider them lost.

At my work we've been hit twice by the same guy who was checking his personal email account and opening file attachments that he should not have. He has Symantec Endpoint on his PC and it caught the ransomware as it was running, meaning it did quite a bit of damage before the AV software recognized it and shut the process down.

The first line of defense here is education. Learn to recognize suspicious emails, especially with file attachments, and simply don't open them.
2
 
web_trackerCommented:
Hopefully you back up your data else where then on the local harddrive, otherwise the data is gone, there is no way to recover the encrypted files, I do not recommend paying the ransom because sometimes you may get the key to encrypt the files and some times you will not.... Also paying the ransom just encourages the criminals to keep making their malware to infect more systems. In the future as mentioned do not open email attachments especially from some one whom you don't know or even from someone you do know but are not expecting an email with an attachment. Some time viruses can be sent to everyone in your address book, so the receiver thinks they are receiving an email from you and the click on the attachment and end up infecting their own computer. When you reinstall your operating system make sure you install software that will detect ransomware  before it has the ability to run and encrypt the files. Rindi above had excellent comments for this issue follow the rest of his advice.
0
 
madunixChief Information Security Officer Commented:
Most ransomware is typically programmed to automatically remove itself after the encrypting is done since they are no longer needed.  Only one thing that's a guaranteed fix - good backups

LINK1
LINK2
LINK3
0
 
xtermieAuthor Commented:
thank you guys...i got some files back with Shadow explorer and then restored to a previous backup
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now