Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


what to do with .zepto files while I wait for a decrypt routine?

  • This topic is locked This topic is locked
1 reply to this topic

#1 FredoOderf


  • Members
  • 1 posts
  • Local time:05:50 PM

Posted 05 August 2016 - 04:21 PM

I got hit yesterday by zepto and have lost all my user files, but they aren't really lost, are they? Meaning, if I had the key, then, for instance 96F2F073-58F0-6840-7FD9-85AC5457A1D1.zepto ,  the encrypted content of what was formerly a .xlsx excel file named taxWS2011_new_Completed_3-30-15.xlsx, could be returned to its former glory as an excel file with the name referenced above.


If my understanding as noted above is correct, then being the optimist I am, what should I do, if anything, to preserve the zepto files? And do I also need to preserve the _NNN_HELP_instructions.html files that are created in each directory?


Should I just start doing a nightly backup LIKE I SHOULD HAVE BEEN DOING ALL ALONG and generally just ignore all the .zepto files as I slowly reconstruct user files on an as needed basis. And then when the day comes in the future when a zepto decrypt routine is available, it will some how restore all of the files.


Thanks in advance. PS paying a $1400 ransom is pretty much out of the question. Makes one wonder who they are targeting. I would have been in for $14.00.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,886 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:50 PM

Posted 05 August 2016 - 04:32 PM

Any files that are encrypted with the newest Locky variant will be renamed with random alpha-numerical characters but utilize the .zepto extension (i.e. 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto) and leave a ransom note pattern consisting of _(****)_HELP_instructions.txt/.bmp/.html...(i.e. _6789_HELP_INSTRUCTIONS.txt, _6789_HELP_INSTRUCTIONS.bmp, _6789_HELP_INSTRUCTIONS.html). More information in this BC News Article: New Locky version adds the .Zepto Extension to Encrypted Files

When you discover that your computer is infected with ransomware you should immediately create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future. In some cases, there may be decryption tools available but there is no guarantee they will work properly since the malware writers keep releasing new variants in order to defeat the efforts of security researchers.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users