Zepto ransomware virus: how to restore ciphered .zepto files

Unsanctioned data encryption by the Zepto virus is impossible to get around by cracking the cryptography proper, but there are other vectors of recovery.

What is Zepto?

When the file-encrypting ransomware called Zepto first appeared in late June 2016, it didn’t take security analysts long to discover obvious similarities with another sample known as Locky. The distribution over macros in Docm files delivered with spam, the text of ransom notes, the crypto implementation and the payment page – all of these attributes basically coincide in both campaigns. At that point, it seemed that Zepto would replace Locky on the ransomware arena altogether. But it turned out that the two are operating concurrently, although the same origin is undoubted. The new version, which is the subject matter of this post, leverages AES and RSA ciphers to encode one’s valuable data. It renames the jumbled files according to a peculiar format. The filenames are replaced with 5 blocks of hexadecimal characters appended with the .zepto extension. The image below demonstrates what these objects will look like after the attack.

Tons of .zepto entries instead of one’s personal files
Tons of .zepto entries instead of one’s personal files

Zepto provides a methodology for decryption, encompassing the instructions in documents named [random_number]_HELP_instructions.html, [random_number]_HELP_instructions.bmp, and [random_number]_HELP_instructions.txt. The HTML and TXT editions are injected into folders with encoded data, and the BMP one is displayed as the desktop wallpaper. These notes read, “!!! IMPORTANT INFORMATION !!!! All of your files are encrypted with RSA-2048 and AES-128 ciphers … Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.” To obtain the private key, the victim is urged to visit a specially crafted Tor site titled the “Locky Decryptor Page”.

_HELP_instructions.html telling the victim what to do
_HELP_instructions.html telling the victim what to do

When on the above-mentioned Locky Decryptor page, the infected user must enter their personal identification ID from any of the 3 ransom directions, and submit a sum amounting to 0.5 Bitcoin, which is a little over $327 at the time of writing. This payment is supposedly the only prerequisite of successful file restoration through the use of the automatic decrypt solution that will become available when the extortionists receive the money. However, users have reported no changes even after the payment, which is some food for thought regarding the decision-making in case of a Zepto incident.

This ransom Trojan tries to disable the Volume Snapshot Service (VSS) on infested systems so that victims cannot use shadow copies of their files and reinstate previous versions thereof. Sometimes this process may fail to complete, in which case one of the recovery avenues below can work. Another workaround involves forensic software that recovers insecurely deleted data. This method may be effective, because some ransomware programs erase the original versions of data objects. Be advised these techniques may not be applicable in your case, but they are certainly worth a shot. Ransom is the last thing to consider when these sorts of viruses are encountered.

Zepto removal

By removing this ransomware, you can ascertain it will not do any further damage. The linked-to automated cleanup tool is capable of detecting malicious executables of all known crypto viruses and obliterating the entirety of their harmful components. One thing to keep in mind, though, is that the data left behind will stay inaccessible until the appropriate recovery measures are adopted.

1. Download and install Zepto virus remover. Run the suite and click Start Computer Scan.
Download .zepto files virus remover
2. As soon as the scan report is ready, make sure all the malicious entries on the list are selected and click Fix Threats to get the cleaning job done.

File recovery how-to’s

Now that you have taken care of the offending code proper, it’s high time you tried to restore the scrambled files. Regular data backups prior to the compromise pose the optimal means to reinstate the information. In this case, just use your backup service provider’s appropriate functionality to download the most recent copies of files. If the reserve storage is on a piece of external hardware, simply transfer the data back to your PC.

Unfortunately, some users don’t have a sound backup strategy that would make them resilient to such breaches. If you happen to be in that category, the dilemma is to either pay the ransom or take advantage of the best practices of forensic data restoration. The former modus operandi (ransom) should be your last resort, so try the routines below first.

a) Explore ‘shadows’
As enigmatic as it sounds, this is a completely down-to-earth method that might do the trick in some ransomware attack cases. The idea is to use snapshots of files made by the operating system during critical updates and the addition of new restore points. The applet called ShadowExplorer automates the workflow of finding these previous versions and restoring them to a location of choice or the original folder.

The problem is, some crypto ransomware strains execute the “vssadmin.exe Delete Shadows /All /Quiet” command to disable this Windows service. To see whether this technique can work in your case, go ahead and do the following: download ShadowExplorer, install and launch it. Right-click on a random path, for example, Documents and Settings, select the Export feature and pick the directory to which the contents of this folder should be restored. If this helped, proceed with the rest of your data in the same fashion.

b) Use recovery software
There are solutions that traverse computer drives and connected media in search of obliterated data, and may be able to reinstate it. The reason why tools like Data Recovery Pro can be useful in ransomware-related predicaments is that some of these Trojans erase original versions of files, leaving their enciphered copies on the hard disk. If that’s the case, the above-mentioned application will scan the machine, list all recoverable entries in the scan report, and let you get those items back. Be advised it’s critical to remove the virus for good before you get down to this workaround.
Download Data Recovery Pro
Data Recovery Pro

Double-check for Zepto remnants

Do not leave anything to chance when dealing with ransomware. Unless removed efficiently, these threats can relaunch the crypto attack and scramble everything you’ve been struggling to restore using the above methods. To add insult to injury, ransom Trojans may be accompanied by other infections, such as banking malware that steals victims’ sensitive credentials. One way or another, rescan your system to make sure you’re good to go.

Download Zepto ransomware virus remover

Leave a Reply

Your email address will not be published.