?
Solved

ZEPTO Ransomware - Removal

Posted on 2017-04-11
8
Medium Priority
?
131 Views
Last Modified: 2017-04-19
I have a question for about .zepto which I think is a Ransomware virus that change a punch of Pictures on someones computer to .ZEPTO and gives them an IE icon.  I was a bit surprised because I run Deep Freeze on this persons system locking the OS C: Drive partition and having all data on the 2nd partition which is the F: drive.  I installed and ran Kaspersky but it came up 100% clean.  Any ideas?
0
Comment
Question by:Erika Koelle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 18

Expert Comment

by:Ramin
ID: 42088587
Yes it is a Crypto locker virus. It uses AES-256 asymmetric encryption which is the most powerful encryption.
if your machine is infected, only restore from backup can return back the data.

you can remove Zepto virus with Malwarebytes Anti-Malware Free but you can't decrypt those data back.
https://www.malwarebytes.com/
0
 
LVL 29

Expert Comment

by:Thomas Zucker-Scharff
ID: 42088759
If you are running deepfreeze, and are using best practice (local user is a standard user and you enforce POLP), you should be able to just reboot the machine to go to last image of setup.
0
 

Author Comment

by:Erika Koelle
ID: 42088826
Thanks for letting me know I need to restore from backup.  Deep Freeze managed to keep the C: drive partition from staying infected with a reboot, but the data files on the F: drive partition are not protected by Deep Freeze.
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 64

Expert Comment

by:btan
ID: 42089059
The ransomware only target the users' document and it can be in any partition including mapped drive. You can try idransomware https://id-ransomware.malwarehunterteam.com to confirm the ransom family which may reveal a decryptor tool. Check your other mapped drive to scan through for any encrypted files.

The best solution for dealing with encrypted data is to restore from backups. Better to do a clean slate like reverting ro original state but we will want to make sure the Ransomware is not in the drive or from server, can disconnect and revert back.

AV not necessarily can detect. Zepto contains very good obfuscation for html help files that are created inside every folder with encrypted files. These help files explain how victims’ can pay the ransom and decrypt their files and they are obfuscated to avoid AV detections or detections based on dynamic analysis systems and sandboxes.

In case you need faq on Ransomware, you can catch below too.
https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html
0
 
LVL 29

Expert Comment

by:Thomas Zucker-Scharff
ID: 42089861
Erika,

Is the F drive your designated unfrozen zone?  What I do on our public computers with deepfreeze on them is backup the unfrozen portion nightly (during a scheduled unfrozen time in which only the backup and windows update have permission to run).
0
 

Author Comment

by:Erika Koelle
ID: 42089869
Correct...the F: partition is the unfrozen zone on a users PC.  The user isn't that sophisticated, so in hind site it probably would have been a good idea to set a Windows backup job to do a daily, weekly, monthly backup of the F: drive data.
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 42090181
just an advice is backup should be offline from the client machine once it completed the backup otherwise the infected machine can still get those backup encrypted too. Otherwise back to rebuilding the machine for clean slate to start fresh to avoid recurrence, and consider installing ant-ransomware to augment AV. Include MalwareBytes Anti-Ransomware or Winpatrol WinRansom. Applocker if available is a good means to reduce the exposure as application whitelisted can run only.
0
 

Author Closing Comment

by:Erika Koelle
ID: 42099367
Wiping out data files and restoring Pics if available from camera.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question