Crypto ransomware programs come and go, but the idea of online extortion stays and perseveres with its progress. Having vanished from the antimalware radars for a while, the sample called Locky recently reappeared with a number of new features. Researchers consider the latest spike in its propagation to be associated with the so-called Necurs Botnet that the threat actors have begun to leverage after dropping the previous distribution tactics. The updated infection badly tweaks the names of one’s files and appends the .zepto component to those. These are mere external changes, though. A much more troubling aftermath of the compromise is the use of the AES and RSA cryptosystems tandem to affect data on a deep level. This impact prevents the victim from accessing their personal files.
The format of renaming filenames is as follows: [8 hexadecimal symbols]-[4 hexadecimal symbols]-[4 hexadecimal symbols]-[4 hexadecimal symbols]-[12 hexadecimal symbols].zepto. Such an approach makes a random file look similar to A2E4B03F-7256-6D55-33C5-2BA3B8E30E5C.zepto. Obviously, the user won’t even know where a particular item is located. When they realize what happened, the Trojan encourages them to peruse its demands explicated in _HELP_instructions.bmp and _HELP_instructions.html documents. The former is an image file that takes over the original Desktop background, and the latter constitutes the contents of all folders with ciphered information and opens via the default web browser.
Both ransom notes say, “All of your files are encrypted with RSA-2048 and AES-128 ciphers. … Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.” A number of .tor2web.org and .onion links provided in these documents point to the Locky Decryptor Page. The user also learns their personal ID for all the further transactions with the malicious service.
From the legitimate business perspective, this is a scheme aimed at selling a piece of software called the Locky Decryptor. However, the disgusting methodology of reaching this goal makes it a prosecutable activity. Why are the black hats still on the loose then? They are smart enough to use several layers of anonymity. For example, the victims are supposed to submit the ransoms in Bitcoins, an untraceable type of cryptocurrency. The amount is 0.5 BTC, or 300 USD. Unlike many other ransomware threats, Zepto does not allow free decryption of one or several files. It’s a bulk deal of redeeming everything or losing all the valuable data.
The Zepto ransomware arrives at computers over phishing emails. The files attached to these tricky messages are in fact obfuscated payloads that instantly trigger the malicious code once opened. When on board, the Trojan scans the machine’s local and removable drives, as well as network directories, for files with 138 different extensions that denote popular data formats. It skips system executables and doesn’t encrypt them so that Windows operates smoothly during the attack.
All in all, this is a severe cyber peril that doesn’t leave much room for recovery aside from the ransom-related path. Nevertheless, there may be some exploitable weaknesses that will help restore the locked .zepto files.
As counterintuitive as it is, removal of this particular threat is not too complicated unlike the cleanup scenarios for screen lockers which represent another group of ransomware infections on the loose. The main challenge in regards to Zepto is getting personal files back without having to do what the fraudsters want. Basically, this means you can get rid of the malady using efficient security software without much of a hindrance, but options for recovering the encrypted data are a matter of a separate discussion, which we will touch upon in this guide as well.
Let’s now outline a rather easy and perfectly effective way of ransomware removal from a contaminated computer. Please follow the directions below step by step:
1. Download and install HitmanPro.Alert with CryptoGuard
Supports: Windows XP (SP3), Vista, 7, 8, 8.1, 10
2. Open the program, click on the Scan computer button and wait for the scan to be completed
3. When HitmanPro.Alert comes up with the scan report, make sure the Delete option is selected next to the ransomware entry and other threats on the list, and get the infections eliminated by clicking on the Next button
Now you’ve got both some good and bad news. On the one hand, Zepto is gone from your computer and won’t do any further damage. On the other, your files are still encrypted, since elimination of the malware proper does not undo its previous misdemeanors. In the next section of this guide we will highlight methods that may help you restore your data.
As it has been mentioned above, despite successful removal of Zepto the compromised files remain encrypted with the AES algorithm. While it does not appear possible to obtain the key for decryption in this case even with brute-forcing, you can try to restore previous versions of these files either using the native Windows functionality or the application called Shadow Explorer. Please note that this method is only applicable in case you have System Restore enabled on your PC, and the versions of the files that you can recover this way may not be the most recent. It’s definitely worth a try, though.
Windows provides a feature where you can right-click on an arbitrary file, select Properties and choose the tab called Previous Versions. Having done that for a particular file, you will view all versions of it that were previously backed up and stored by the so-called Volume Shadow Copy Service (VSS). The tab also provides the history of these backups by date.
In order to restore the needed version of the file, click on the Copy button and then select the location to which this file is to be restored. In case you would like to replace the existing file with its restored version, click the Restore button instead. Conveniently enough, you can have whole folders restored the same way.
Besides the built-in Windows functionality highlighted above, you can use an application that will restore previous version of entire folders for you. It’s called ShadowExplorer. Once you download and launch this program, it will display all of your drives as well as a list of dates when Shadow Copies were generated. Simply pick the desired drive and date for restoration, as shown on the following screenshot:
Right-click on the directory you wish to restore and choose Export in the context menu. This will be followed by a request to indicate where you would like to restore the information to.
It might sound surprising, but Zepto does not encrypt one’s actual files. It deletes them. What does get encrypted is the copies. This brings us to the point where a specific type of software can be used for dragging the original data out of memory, where it ended up after the erasure. Efficient recovery tools can work wonders in these ransomware scenarios.
Download and install Recuva by Piriform to give this restoration vector a shot. By running a computer scan with Recuva, you will get a list of all recoverable files and be able to reinstate them to their original location or another place of choice.
Zepto poses a critical risk to one’s personal information therefore the main focus security-wise should be made on prevention. In this context, some basic precautions can do the trick: refrain from opening email attachments from unknown senders and schedule regular antivirus software updates. Furthermore, performing data backups is a remarkable habit that will help evade the adverse aftermath of this attack.