Zepto is a June 2016 variant of something called Locky, a highly successful ransomware family that first started spreading in February. It targets all versions of Windows but does not affect Macs, Linux computers or smartphones. The encryption is well implemented using RSA-2048 public key while the ransom demand starts at 0.5 Bitcoins (around $300), although this could rise.
As with a lot of ransomware, Zepto looks for new files to encrypt on connected drives and file servers as well as mapped and unmapped shares. It also checks for files synchronised through services such as Google Drive and Dropbox. In Windows 10, it seems to be able to jump from machine to machine in the same workgroup, depending on how that’s been set up.
Where did it come from?
The creators are probably the same people who have been distributing Locky which means that Zepto is, in effect, Locky 2.0. This might also explain why email campaigns pushing Locky have dropped markedly over time.
How much of a problem is it?
Having spoken to security experts, Zepto is a major headache. The number of victims – both individuals and small business - is spread across the world and seems to be depressingly large in number.
How can it be identified?
Encrypted files appear with the .zepto suffix. An instructions text file deposited in every directory explains how to pay the ransom, which is set up through a website. Coincidentally, Zepto represents the second smallest counting magnitude in the metric system (10 to the -21).
How does it infect PCs?
Can Anti-malware software stop it?
Not reliably, even updated versions. It’s pot luck. Like a lot of recent ransomware, Zepto runs as a script in the most minimal way possible and then downloads the business end of the malware. By the time that is on a system, it is too late to stop something from happening. Good anti-ransomware will notice the unusual behaviour (accessing lots of files and their increased file entropy as encryption commences) and step in. But this requires security software has been programmed specifically to understand this type of behaviour.
Can I get my files back?
For now, no. However, decryption tools and even keys released from ransomware servers are appearing more quickly than they did in the past. We’d recommend imaging an infected drive with its files. This will make it possible to retrieve files in the future should a utility appear. In Zepto’s case, there is cause for optimism in the medium term.
What about Windows Shadow Volume Copy?
This is a Windows feature that keeps older versions of files on versions from XP to 7 for some obvious directories. On Windows 10 it is implemented through file history. It is not clear whether Zepto attacks these services but previous ransomware has so don’t get excited about this working.
Should I pay the ransom?
We’d suggest not. There is no absolute guarantee the key will be supplied but even if it is there is a chance that the fact a victim has paid will be traded as information for future attacks by other ransomware groups. It’s not clear whether Zepto gathers any data about its victim that would identify them beyond their email address but it’s important not to discount the possibility.
How do I clean my PC?
The nuclear option is to wipe the system and reinstall the operating system from scratch. That should work as Zepto has no persistence or rootkit capability. It can also be removed manually but this requires some expertise and a set of reliable instructions. Note: Zepto leaves a trace on the hard drive so that it doesn't infect a second time but a system wipe will delete this.
A less drastic option is to download a utility that will clean Zepto after booting into safe mode, which turns out to be relatively easy. Malwarebytes’ offers a free utility that can reportedly detect and remove Zepto for free. That does not mean other vendors can’t detect it either but we mention it as a starting point.
Zepto ransomware – how to protect yourself against the latest extortion menace
The most important thing is to learn from the mistakes that allowed Zepto into a system.
- Were the backups recent enough and should there have been regular offline backups for extra insurance?
- Given that the ransomware will have arrived by email, one option for SMEs is to nominate a single isolated PC to receive invoices. This system should not contain any valuable files.
- Might it be a good idea to buy an SME anti-malware or endpoint security system that comes with an element of support? Some security firms have better reputations for this sort of thing but their telephone or email advice could be invaluable and worth every penny of the license fee.
Reporting: The system for reporting ransomware attacks is pretty chaotic but a good first stop is to visit the recently-launched No More Ransom initiative, a cooperative effort between Europol, Kaspersky Lab and Intel Security. It also has country-specific links.