Worst virus I’ve seen in 35 years. You won’t like it.
It’s called Zepto. It doesn’t show up as viral, so your antivirus product ain’t gonna see it.
It starts out with vague email messages, usually one-liners, giving you good reason to open the attachment,
“Your credit card payment was declined.”
“Revised lease is attached. Please Review.”
“Thank you for your business. Invoice attached.”
The point of it is to get you to open the attachment, which is usually a compressed zip file. Opening this attachment launches javascript code that encrypts all of your user documents. All of them. Every document, photo, data file, spreadsheet, powerpoint presentation, and word document. Then it goes looking for your backup drive and wipes that out, too. And if you’re attached to a network, it can do the same trash job on attached machines.
You won’t be able to decrypt these files. There are a number of malware removal products, including Malware Bytes, that can remove the virus itself, but the important thing is this: none of them can decrypt your files. You’ll never see them again. Hysteria ensues.
You could, of course, submit and send half a Bitcoin (about $300.00) to an anonymous mailbox, after which they promise to maybe send you a decryption key to get your documents back. But then again, these are the extortionists that poisoned your machine in the first place, right? Does that sound like a smart idea? Really?
That’s OK, I’ve got a backup! No, you don’t. It’s been encrypted, too, unless it’s an offline backup. Quite by accident, my client had disconnected their backup drive, so I was able to restore their files as of their last backup – six months ago. Two weeks later, they’re still re-entering transactions for their site management accounting system. Everything else since that time was lost.
What to do?
- Never EVER open an email attachment from somebody you don’t know. Ask yourself if the subject line and the email copy itself makes sense. You have to realize that the internet is a bad neighborhood, and it gets a little scarier every day. A little paranoia can be a healthy thing.
- If you see the dreaded warning that your files have been encrypted, press your power button and hold it there until the machine powers off. Don’t think about it. Don’t take time to gracefully close anything you have open. Don’t worry about saving that half finished email. Do it immediately. I mean right NOW. It’s already eating your files as fast as it can. Seconds matter. The idea is to save as many documents as you can.
- Once you’ve forced your machine to shut down, do NOT turn it back on again until you have help from somebody who knows what they’re doing. You will NOT be able to resolve it yourself. No kidding.
- What needs to happen is to remove the hard drive from the machine and connect it to another machine as a secondary drive, at which point a malware removal tool can stop the encryption process from restarting, and then salvage as many uncorrupted files as you can to the uninfected machine. Then make an image of the corrupted drive. At this point, the corrupted files can be removed all at once from a DOS prompt with C:\DEL *.zepto /s
- Zepto, at least this version, doesn’t appear to infect operating system or program files, presumably to keep you from noticing that your machine is eating itself. It’s possible in some cases to put the drive back in your machine, and it may start up without too much trouble. But you’d better make sure by scanning the dickens out of it before you consider it safe. Make sure you can get Windows updates and that all your applications open properly.
A more complete description of the mechanics is beyond the scope of this post, but you would be well advised to read up on the subject.
Is Zepto ransomware the new Locky?