Computer infections that leverage cryptography to compel victims into paying for recovery of their encrypted data are constantly evolving. One such sample implements a combination of AES and RSA crypto algorithms and appends ‘.zepto’ to every file that underwent the scrambling. As per a number of tech-level characteristics, this strain is most likely a successor of Locky, another piece of ransomware that was once a high-profile cyber threat.
The new specimen from the old family appears to exhibit the same features plus a refined propagation methodology. Zepto is spreading via a massive spam circulation campaign combined with a technique similar to the one used to peddle Dridex, a piece of infamous banking malware. Thousands of phishing emails generated daily claim to contain important attachments, such as business documents or invoices. These attachments are in fact Docm entities, which pose a type of Microsoft Word files that don’t display any content unless the user enables macros. By harnessing a gaping hole in macros’ security, the attackers can easily execute the ransomware code behind the scenes on any Windows workstation.
The breach is accompanied by blatant changes of some custom system configuration elements, including the desktop background that starts to display a warning message. That is because the Zepto ransomware adds an image file named “_HELP_instructions.bmp” and sets it as the desktop wallpaper. It reads, "All of your files are encrypted with RSA-2048 and AES-128 ciphers." That’s definitely not bluff. This alert has a duplicate titled "HELP_instructions.html", which suddenly appears inside all directories with personal data.
To identify which files might be valuable for the victim, Zepto scans all letter volumes of the hard drive, as well as removable drives and network locations for entities with widespread extensions, such as .txt, .doc, .xls, .ppt, .pdf, .jpg and many more. Then, the crypto routine comes into play. The offending program encodes every detected file using a fusion of symmetric and asymmetric cryptosystem.
Not only does the pest skew the inner structure of such files, but it also modifies their names. The .zepto extension is appended at the end, and the filenames proper turn into strings of 32 hexadecimal characters. So a random image, for instance, will be eventually presented to the user as something like A3E2B03F-6214-7D77-18D8-AABA4-51A0F42.zepto. This, apparently, prevents the victim from knowing which data component this weird item corresponds to.
Just like its forerunner Locky, this sample is designed professionally enough to make decryption attempts null and void. The only way to get the files back to their previous state is to pay the ransom of 0.5 Bitcoin. To do this, the user will need to click on a Tor link provided in the ransom notes and thus visit the “Locky Decryptor” page. The site contains the Bitcoin address for payment. The deal is, essentially, the purchase of the unique decryption key.
Whereas security researchers from different antimalware labs are doing their best to spot weak links in Zepto encryption, the infected users have two options: buy the recovery service from the malefactors, or try to leverage one of several known workarounds. If there are no secure data backups available, victims should try the instructions below before sticking to the ransom demands.
Use automatic solution to remove Zepto virus
The issue of Zepto compromising a PC can be effectively resolved if you use trusted security software. Along with the obvious ease of such removal, other benefits include thoroughness of virus detection and elimination from all system locations it might have affected. Be advised, however, that removing the ransomware and recovering the hijacked files are two different things. So please follow these steps just for a start:
1. Download and install Zepto removal tool. Run the application and select Start Computer Scan option in order to have your computer checked for ransomware, adware, viruses and other malicious objects.
2. When the scan is complete, it will return a list with results on what infections have been found. Go ahead and click Fix Threats to completely get rid of the detected items. The virus should now be gone from your PC.
Recover files encrypted by Zepto
The bitter truth about this ransomware assault is that there doesn’t exist a tool that can automatically decrypt your personal files, except perhaps the service endorsed by the virus publishers who spread this infection in the first place and have the right private key at their disposal. Asymmetric crypto algorithms are too strong to crack or brute-force, therefore users can only leverage alternate workarounds.
1. File recovery software
Some variants of ransom trojans create copies of their victims’ files, encrypt them and delete the original data. In this case, forensic utilities like Data Recovery Pro can restore the information. Download and install the program, launch it and select the scan option (Quick, Full, or Guided). Click Start Scan button, wait for the results and see what can be recovered.
2. Shadow Explorer
This method presupposes restoring the so-called “Shadow Copies” of locked files through the use of an app called Shadow Explorer. While this routine can be performed manually, the above-mentioned software automates the process all the way. Just download and install Shadow Explorer, run it, select the drive letter and date, and get down to recovery. Pick the folder or file of interest, right-click on it, select Export and follow further prompts. Note this option only works with System Restore enabled on the PC.
3. Previous Versions feature
The automatic option above has a manual counterpart, where you needn’t go any further than Windows itself. As long as System Restore has been active on the machine, users can right-click on a random file, select Properties, hit the tab that says Previous Versions, and click Copy or Restore, depending on the location that the file will be reinstated to. This is a slow-moving approach because you have to go through the above steps for every file, therefore using Shadow Explorer is a much more user-friendly experience.
This option is self-explanatory. In the event you have been backing up your information to external media or cloud resources, the damage from Zepto attack will be minimal. Note that it’s a must to completely eradicate the ransomware before
downloading your intact files from the secure storage.
Make sure Zepto virus has vanished
When it comes to persistent threats, double-checking never hurts. Therefore, it’s highly recommended to complete the remediation process with a final scan that will once again look for any potential bits and pieces of the infection.