Erika Koelle
asked on
ZEPTO Ransomware - Removal
I have a question for about .zepto which I think is a Ransomware virus that change a punch of Pictures on someones computer to .ZEPTO and gives them an IE icon. I was a bit surprised because I run Deep Freeze on this persons system locking the OS C: Drive partition and having all data on the 2nd partition which is the F: drive. I installed and ran Kaspersky but it came up 100% clean. Any ideas?
If you are running deepfreeze, and are using best practice (local user is a standard user and you enforce POLP), you should be able to just reboot the machine to go to last image of setup.
ASKER
Thanks for letting me know I need to restore from backup. Deep Freeze managed to keep the C: drive partition from staying infected with a reboot, but the data files on the F: drive partition are not protected by Deep Freeze.
The ransomware only target the users' document and it can be in any partition including mapped drive. You can try idransomware https://id-ransomware.malwarehunterteam.com to confirm the ransom family which may reveal a decryptor tool. Check your other mapped drive to scan through for any encrypted files.
The best solution for dealing with encrypted data is to restore from backups. Better to do a clean slate like reverting ro original state but we will want to make sure the Ransomware is not in the drive or from server, can disconnect and revert back.
AV not necessarily can detect. Zepto contains very good obfuscation for html help files that are created inside every folder with encrypted files. These help files explain how victims’ can pay the ransom and decrypt their files and they are obfuscated to avoid AV detections or detections based on dynamic analysis systems and sandboxes.
In case you need faq on Ransomware, you can catch below too.
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
The best solution for dealing with encrypted data is to restore from backups. Better to do a clean slate like reverting ro original state but we will want to make sure the Ransomware is not in the drive or from server, can disconnect and revert back.
AV not necessarily can detect. Zepto contains very good obfuscation for html help files that are created inside every folder with encrypted files. These help files explain how victims’ can pay the ransom and decrypt their files and they are obfuscated to avoid AV detections or detections based on dynamic analysis systems and sandboxes.
In case you need faq on Ransomware, you can catch below too.
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
Erika,
Is the F drive your designated unfrozen zone? What I do on our public computers with deepfreeze on them is backup the unfrozen portion nightly (during a scheduled unfrozen time in which only the backup and windows update have permission to run).
Is the F drive your designated unfrozen zone? What I do on our public computers with deepfreeze on them is backup the unfrozen portion nightly (during a scheduled unfrozen time in which only the backup and windows update have permission to run).
ASKER
Correct...the F: partition is the unfrozen zone on a users PC. The user isn't that sophisticated, so in hind site it probably would have been a good idea to set a Windows backup job to do a daily, weekly, monthly backup of the F: drive data.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wiping out data files and restoring Pics if available from camera.
if your machine is infected, only restore from backup can return back the data.
you can remove Zepto virus with Malwarebytes Anti-Malware Free but you can't decrypt those data back.
https://www.malwarebytes.com/