Zepto ransomware: How to decrypt .zepto files

The post sheds light on the successor of the Locky ransomware dubbed Zepto, which concatenates the .zepto extension to files and makes them inaccessible.

Researchers are currently reporting a considerable upswing in the propagation of Zepto, the latest variant of the Locky crypto infection that got an abominable reputation as it had been causing problems to thousands of users worldwide over the course of several months on end. The previous iterations and the new edition share a great deal of properties. First off, the spreading mechanism is the same: the ransomware operators are using a botnet to sustain a bulk spam campaign. The phishing emails pretend to deliver copies of some important PDF documents enclosed in a ZIP archive. The offending code run instantly after a recipient opens the legit-looking attachment.

The look and feel of the average folder hit by Zepto

Another similarity with the predecessor is that the Zepto spinoff uses the same Command and Control infrastructure. However, before reaching out to the C2 server, it scans the breached system for various formats of files. The infection has a hard-coded list of extensions, against which it checks all data residing on fixed drives, removable media and network disks. When the checkup and matching phase has been completed, the Trojan initiates a crypto routine. To this end, it first scrambles files with AES algorithm. Then, it encrypts the 128-bit AES key using RSA, a stronger cryptographic system. Finally, the private RSA key is sent to the C&C server over a secure channel. Ultimately, the files become unavailable after such processing.

HTML ransom instructions by Zepto virus

In addition to that, Zepto badly tweaks filenames. It replaces them with cumbersome arrays of hexadecimal characters followed by the .zepto extension. The changes are so drastic that it appears impossible to link specific files with their encrypted counterparts. At that point, the ransomware articulates its demands. It configures a _HELP_instructions.bmp image to be displayed as the desktop background. The message in it says, “All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the private key and decrypt program.”

The problem is that both the key and the automatic recovery solution are located on the criminals’ server. To obtain both of them, the victim needs to follow one of two links that are anonymous Tor gateways. On the “Locky Decryptor Page”, the compromised person is expected to pay 0.5 Bitcoin ($336) for the decoding to become possible.

Instead of sending the ransom to the scammers, it’s highly recommended to use the steps below and check whether the workarounds can do the trick and restore the .zepto files to their original state.

How to recover .zepto files without submitting the ransom

A brief disclaimer: the techniques described below do not actually decrypt the locked data. Instead, they provide viable workarounds for exploiting probable imperfections of the way that this virus implements the crypto and handles the victim’s files. Although it’s premature to assert whether or not these tips will do the trick in your situation, nothing more efficient has been invented to date. Without further ado, peruse the following methods to mitigate the harm from the ransomware compromise.

  • Use Volume Shadow Copy Service (VSS) to your advantage

    In case you didn’t know, Shadow Copies represent Microsoft Windows’ feature for file backup. The operating system makes point-in-time snapshots of files over the course of critical updates and the creation of System Restore points. Normally, the Zepto ransom Trojan disables VSS on early stages of the attack, but chances are it fails to.

    Nevertheless, it certainly won’t hurt to try this: for a start, download and install Shadow Explorer app. It is a free solution that displays the file hierarchy in a user-friendly way and automates the process of retrieving the previous versions of files and folders. You can easily export data by right-clicking the object of interest and selecting the corresponding option as shown on the picture below.

    Shadow Explorer

  • Try data recovery software

    These types of solutions were originally designed for forensic purposes as well as to restore the information that was obliterated accidentally or due to hardware failures. Their scope of use has expanded with the emergence of cryptographic infections like Zepto. Again, this isn’t a cure-all, but it may help under certain circumstances. So go ahead and download ParetoLogic’s Data Recovery Pro, have your computer scanned for recoverable data and follow the program’s directions to proceed with the file rescue activity.

    Data Recovery Pro

  • Use backups, they’re indispensable

    Nothing beats backups when ransomware attacks your computer. No matter if your files are backed up to an external piece of hardware or a cloud provider, everything can be downloaded back to the machine in a few clicks. Just make sure you have removed the ransomware before retrieving the data, otherwise the crypto routine will repeat.

Prevent ransomware attacks further on

In order to be a moving target for crypto malware like Zepto, it’s recommended to patch potentially vulnerable software (Adobe Flash Player, Java) on a regular basis, refrain from opening fishy email attachments, keep macros in Microsoft Office documents disabled, use a dependable antimalware suite, and of course maintain secure backups of the most valuable files.