Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zepto Ransomware Infected - novice needs assistance


  • This topic is locked This topic is locked
7 replies to this topic

#1 AMCP

AMCP

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 06 August 2016 - 06:44 PM

I believe I have been infected by Zepto Ransomeware as all my file names have been changed to an alpha / numeric name and now end in .zepto

 

I ran AVG scan and identified 2 x problems (from memory it found something like Ransom J and one other which was perhaps the method it was conveyed? sorry unable to open AVG now)

 

I then upgraded to the free AVG pro version and ran another scan where nothing was found.

 

I also downloaded and ran the Microsoft Malicious Software program and scanned my system and again nothing was found. 

 

I tried to back up with Shadow Copies , where I located the files with their usual names and their usual extension name like .jpg etc.

 

Unfortunately when I attempted to open these files they would not open , saying they were corrupted.

 

I then did a system restore to a few days earlier and this changed nothing , except now AVG is saying I need to enter the serial number so I now no longer have AVG.

 

I spoke to my brother who said he had positive experiences and interactions with this group and suggested I join to see if anyone can help me.

 

In the meantime he suggested I download and run ADW cleaner , I did this and scanned my system with no issues identified.

 

I was concerned with AVG not working so I then did a system restore BACK TO WHERE IT WAS prior to restoring it backward the few days. Sadly AVG not working again. (this is where the log to the viruses found was located) Now AVG appears to not have the log and its not protecting me.

 

Brother had advised me that AVAST was better protection than AVG so I'm going to download it and install it instead of AVG.

 

I believe I have removed the virus (happy to be advised otherwise) and now I'm keen to restore the files which appears to have affected virtually all of the file systems like pictures , word , excel etc etc.

 

When I copy and paste the information on the help file it is corrupted when I post it here , I would do a screen shot but it has my personal identification number.

 

Can anyone assist?

 

Thanks in advance

 

 

 

 



BC AdBot (Login to Remove)

 


#2 AMCP

AMCP
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 06 August 2016 - 06:49 PM

Oh I probably should have said I'm on Windows 10



#3 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:01:39 AM

Posted 06 August 2016 - 07:05 PM

The BC ransomware team will probably move this thread into their area, their forum, and go from there.  I believe in the ransomware forum is a sticky about how to upload a sample infected/altered file -- for them to analyze.  Be advised:  no antivirus, no antimalware, etc., program is going to reverse the alterations of your data files, such will not restore your data files to where they were before you were hit.  Let the BC ransomware team guide you from here on out.


"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#4 AMCP

AMCP
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 06 August 2016 - 08:37 PM

I managed to locate the AVG virus info and posted below are the AVG links to the viruses.

 

http://www.avgthreatlabs.com/au-en/virus-and-malware-information/pu/free/?utm_source=TDPU&utm_medium=SCAN&CTRY=au&LNG=us&PRTYPE=PROT&V=2016&AI=0&BE=21198606&IDNT=QEVJRF9JZF90cmp8JW5hbWUlPVJhbnNvbV9yLlhZ&IDN=QzpcVXNlcnNcR0VPRkZcQXBwRGF0YVxMb2NhbFxUZW1wXFRYY2xFaVhoeW1nLmV4ZQ

 

http://www.avgthreatlabs.com/au-en/virus-and-malware-information/pu/trial/?utm_source=TDPU&utm_medium=SCAN&CTRY=au&LNG=us&PRTYPE=PROT&V=2016&AI=0&BE=14&IDNT=QEVJRF9GaV92aXJ8JW5hbWUlPUpTL0Rvd25sb2FkZXIuQWdlbnQ&IDN=QzpcVXNlcnNcR0VPRkZcQXBwRGF0YVxMb2NhbFxUZW1wXDd6T0M2OUE4MUExXDIwNzA5OTUwNS0wMzA4MjAxNi53c2Y



#5 AMCP

AMCP
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 06 August 2016 - 09:11 PM

I have tried to do the shadow copies again and now it wont let me go back any further than when I identified the Zepto file infection so I am now unable to save any of the files with their correct user names and extensions. ( I went back to this because i thought after reading posts here there may have been a chance to repair with other programs)

 

It seems Im doiung more damage than repairing/.

 

Please advise



#6 AMCP

AMCP
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 11 August 2016 - 07:19 AM

Roland - Apologies I missed your reply between my posts.

 

No other comments to date?

 

I have managed to get some of my information back with partial backups I had.

 

Anyone know how to delete the "HELP" (RANSOM NOTICE) thats up on my desktop?

 

Im going to wait and hopefully there will be a solution in the future without having to pay for it.

 

Very very frustrating and hard way to ensure my complete backup is in place



#7 RolandJS

RolandJS

  • Members
  • 4,533 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:01:39 AM

Posted 11 August 2016 - 09:18 AM

I recommend asking that admin/mod group move your thread into the ransomware forum.  I have no answers for you.

Edited by Queen-Evie, 11 August 2016 - 09:28 AM.
moved from Am I Infected to the appropriate forum

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:39 AM

Posted 11 August 2016 - 05:04 PM

Locky (Zepto) Ransomware encrypts data using AES Encryption and completely changes the filenames for encrypted files similar to CryptoWall 4 making it more difficult to restore the data.

Any files that are encrypted with the newest Locky Ransomware variant will be renamed with random alpha-numerical characters and utilize the .zepto extension (i.e. 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto) and leave a ransom note pattern consisting of _(****)_HELP_instructions.txt/.bmp/.html...(i.e. _6789_HELP_INSTRUCTIONS.txt, _6789_HELP_INSTRUCTIONS.bmp, _6789_HELP_INSTRUCTIONS.html). More information in this BC News Article: New Locky version adds the .Zepto Extension to Encrypted Files

A repository of all current knowledge regarding Locky Ransomware is provided by Grinler (aka Lawrence Abrams), in this topic: Locky Ransomware Information, Help Guide, and FAQ.

Unfortunately, there is no known way to decrypt files encrypted by Locky (Zepto) without paying the ransom.

There is an ongoing discussion in this topic where you can ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. Doing that will also ensure you receive proper assistance from our crypto malware experts since they may not see this thread. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users