Encrypted With .zepto? – Zepto Ransomware Removal Guide

Recently, a new version of ransomware called Zepto Ransomware was released and it has compromised hundreds of computers all across the world from the USA to Mexico, Japan, Germany, and beyond and caused a lot of headaches for individuals and enterprises. How does this malware spread? Is it possible to recover the files encrypted by the ransomware? How to get rid of the malware from your PC? Read on and you will learn more about Zepto Ransomware.

What is Zepto Ransomware?

Based on the Locky ransomware, Zepto Ransomware changes the name of the files to its own extension: .zepto. According to Bleeping Computer, the naming format of the encrypted files is in the form of [first_8_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[next_4_hexadecimal_chars_of_id]-[4_hexadecimal_chars]-[12_hexadecimal_chars].zepto. For example, for a file called 024BCD33-41D1-ACD3-3EEA-84083E322DFA.zepto, the extracted victim ID would be 024BCD3341D1ACD3.

The image below shows some files that are encrypted:

zepto-file

It scans the victim’s files and encrypts them by using RSA-2048 and AES-128 ciphers. Those encrypted files will become inaccessible and the victims can’t decrypt them unless they pay the ransom. In each of the encrypted folders, there is a HTML document file named “XX (ransom numbers) _HELP_instructions.html”, which is created by ransomware developers and used to provide users with instructions on how to decrypt their files. The page claims what happened to users’ files and how to recover them. It says that only the private key and decrypt program on their secret server can decrypt the encrypted files and it requires the victims to receive their private keys by following the links given or downloading and installing Tor Browser with the information provided if the addresses fail to work (as shown below). The desktop image will also be replaced with the “Help instructions” page.

instructions-note

Zepto Ransomware usually targets the following examples of files on the infected computers:

.123 | .3dm | .3ds | .3g2 | .3gp | .602 | .aes | .ARC | .asc | .asf | .asm | .asp | .avi | .bak | .bat | .bmp | .brd | .cgm | .cmd | .cpp | .crt | .csr | .CSV | .dbf | .dch | .dif | .dip | .djv | .djvu | .DOC | .docb | .docm | .docx | .DOT | .dotm | .dotx | .fla | .flv | .frm | .gif | .gpg | .hwp | .ibd | .jar | .java | .jpeg | .jpg | .key | .lay | .lay6 | .ldf | .m3u | .m4u | .max | .mdb | .mdf | .mid | .mkv | .mov | .mp3 | .mp4 | .mpeg | .mpg | .ms11 | .MYD | .MYI | .NEF | .odb | .odg | .odp | .ods | .odt | .otg | .otp | .ots | .ott | .p12 | .PAQ | .pas | .pdf | .pem | .php | .png | .pot | .potm | .potx | .ppam | .pps | .ppsm | .ppsx | .PPT | .pptm | .pptx | .psd | .rar | .raw | .RTF | .sch | .sldm | .sldx | .slk | .stc | .std | .sti | .stw | .svg | .swf | .sxc | .sxd | .sxi | .sxm | .sxw | .tar | .tbk | .tgz | .tif | .tiff | .txt | .uop | .uot | .vbs | .vdi | .vmdk | .vmx | .vob | .wav | .wb2 | .wk1 | .wks | .wma | .wmv | .xlc | .xlm | .XLS | .xlsb | .xlsm | .xlsx | .xlt | .xltm | .xltx | .xlw | .zip.

Unfortunately, at this time, there is no known way to decrypt files encrypted by Zepto Ransomware. Users are never advised to pay the requested ransom to cyber criminals because this will stimulate the cybercriminals to continue with their illegal activities. If you haven’t been attacked by this malware, remember to keep backups of all critical data regularly when using the computer.

Important note:

Because of the newness of Zepto ransomware, there is still no decryptor available to decrypt the files encrypted by this malware. If you unluckily become a victim of this ransomware, what you can do now is to locate and delete the .zepto virus by using a professional malware removal tool. As for recovering the encrypted file, please wait for a working decryptor to be released.

Download button


How can Zepto Ransomware be distributed?

Similar to other ransomware, Zepto can be distributed to computers around the globe via spam emails. According to Warren Mercer, 137,731 emails in the last 4 days using a new attachment naming convention were found by Cisco’s Talos team. This began Monday 27th June with approx 4000 emails being caught within their Email Security Appliances (ESA) & Cloud Email Security platform (CES).

“The body of the emails were generally urging the user to look at their “requested” documentation. The name of the attached .zip file is created by combining the username in the ‘To’ email address header, an underscore, plus a random number:”

fake-email

Many computer users know malicious code can be distributed via malicious attachments in emails, but some of them forget or ignore this and still click on those attachments in emails sent by strangers. Once they are fooled by the email bodies and open the attachments, a javascript file will automatically start to unpack itself and encrypt files on the affected computer. “The email attack vector will continue to be used as email is an everyday occurrence now and the ability to generate large lists of emails for spam campaigns like this is growing easier.” Mercer concludes.

Zepto Ransomware removal guide

The instructions below show you how to delete the registry entries and files of the ransomware manually. Please note that this procedure is involved in modifying Windows registry, which is risky and complicated for regular computer users. If you are not familiar with computer and never used registry editor before, please use a Zepto Ransomware automatic remover instead. Otherwise, your Windows may be damaged permanently if any vital file is deleted wrong.

Option1: Remove the ransomware using SpyHunter (Recommended)

Step1: Boot into safe mode

Safe mode is a diagnostic mode of a computer operating system for it starts Windows with a minimal set of drivers and services. It can stop the malicious process from being started automatically during startup. To enter safe mode, see How to Start Windows Based OS in Safe Mode?

Step2: Run SpyHunter to scan for and delete Zepto Ransomware

SpyHunter is a program that is designed to find and remove malware like ransomware, Trojans, rootkits, worms as well as other potentially unwanted programs completely. To avoid deleting wrong files of the ransomware manually, we suggest you run SpyHunter to perform a full scan of the system and delete any threats detected thoroughly. Follow the steps below to remove the infections with SpyHunter.

download iconDownload and install SpyHunter Anti-malware on your PC.

(Note: If you don’t have this tool on the PC, download it to another computer that works smoothly and then copy and paste it to your machine with a removable hard disk.)

Launch SpyHunter and click on Scan Computer Now button. It will start to scan for the fills and registry entries of the malware.

scan-computer-now

The scanning usually takes a few minutes to complete.

SpyHunter scanning

When the scan is completed, click on Fix Threats to remove all the threats related to the ransomware.

fixthreats

SpyHunter provides the free scan malware services. To completely delete the malicious infections from system, please register for the full version of SpyHunter first.

Option2: Delete Zepto Ransomware manually (ONLY recommended for advanced PC users)

attention-icon: If you are sure about the manual removal of the malware, follow the steps below to delete the threats. Keep in mind that it’s important to make a backup of the registry before you make any changes on the Windows registry. This enables you to restore the system easily in case the system crashes. See How to back up and restore the registry in Windows.

Step1: Restart your PC in safe mode

Step2: Change the settings of Folder Options to show hidden files and folders.

Sometimes the malicious files of Zepto Ransomware are invisible on the system. To find and delete them, you need to alter the folder options and show the files.

Windows 10

Double click This PC on your desktop. (If it doesn’t appear in the desktop, open Windows explorer and open it from the left side.)

this PC

Click View and from the sub-list that appears, check the box before Hidden items.

hidden items

Windows 8

Open the Charms Bar, click on Settings. Then, select Control Panel.

settings-cp

Type “folder” in the search box of the Control Panel screen and click on Show hidden files and folders under Folder Options.

folder

In the View tab, select Show hidden files and folders and then clear the checkbox for Hide protected system operating files.

show-hidden-8

Click OK button to save the changes.

Windows 7/Vista/XP

Click on Start button and go to Control Panel.

control-panel-7

Click on Folder Options on the Control Panel screen (under View by” Large icons).

folder-options-7

Select the View tab, select “Show hidden files and folders” and uncheck “Hide protected operating system files” in the list.

show-hidden-7

Click OK to save the changes.

Locate to the following folders and delete files and folders of the ramsomware.

%AppData%

%LocalAppData%

%ProgramData%

%WinDir%

%Temp%

Step3: Delete malicious content from Host File.

Zepto Ransomware may add malicious content to your hosts files. To edit the hosts file on your machine, follow the instructions below.

Windows 10/8/8.1

Type notepad in the search box of the Start menu.

Right-click on Notepad in the search results list, and select Run as administrator.

Click on the File -> Open.

file-open

Type the following content in the box of File name and then click on Open button.

c:\windows\system32\drivers\etc\hosts

open -file

Now you can edit the hosts file now. Delete any malicious content and then save the changes. The normal content in hosts file should be showed as image below:hosts-file

Windows 7/Vista/XP

Press Windows key + R key on the keyboard and type the following texts in the Run box and then click on OK.

notepad c:\windows\system32\drivers\etc\hosts

run-notepad-

The Hosts notepad will open. Find and remove any content added by Zepto Ransomware.

hosts-file-7

Now that you have edited your Hosts file make sure to save it.

Step4: Remove Zepto Ransomware from startup items

Windows 10/8/8.1

Right click on the Taskbar, or press CTRL + SHIFT + ESC shortcut key to open Windows Task Manager.

If the Task Manager appears as the image below, click“More Details” in the lower left corner of the Task Manager to show other tabs.

more-details

Choose the Startup tab. Find the processes related to the ransomware and then use the Disable button to prevent it from starting when Windows starts.

startup-10

Windows 7/Vista/XP

Click the Start button then type msconfig in the search box or Run box and click the msconfig.exe in the search results or press Enter.

msconfig-7

In the System Configuration window, click Startup tab.

startup-7

Then find the malicious process of the ransomware and uncheck the program box.

Click OK to save changes when you are done.

Restart Windows and the selected programs should no longer automatically start up.

Step5: Clear registry entries of Zepto Ransomware

Warning: Modifying Windows registry is not recommended for those who have never edited before. If any wrong registry key is deleted, your system may be damaged terribly. To avoid deleting registry incorrectly, we recommend using a professional malware removal tool to remove the malware. If you feel certain about it, please make a backup of the registry entries before deleting them.

To back up your Windows registry:

Open registry editor by pressing Windows key + R key and then typing regedit in the box and clicking on OK button.

regedit-run

When Windows registry editor opens, find the relevant registry entries.

Click on File and select Export.

file-export

Select a proper location on your PC and type a name for the backup file in the File name field.

Click on Save button.

To delete the registry keys of the software:

After making a backup of the registry keys or subkeys, follow the guide below to delete registry keys of Zepto Ransomware .

Now use the WIN + R keyboard shortcut to open up the Registry Editor.

Type regedit into the Open box and click on OK.

regedit-10

Search for and delete these entries associated with the ransowmare.

registry

Note: If you feel unsure about the registry entries to be removed, please leave it behind. Otherwise your PC may be damaged.

Step6: Restart your PC in the normal mode.

Several tips to prevent Zepto Ransomware

To avoid being infected by the ransomware and other cyber threats, here’re several useful tips for you.

☑ Avoid opening attachments and embedded links in strange emails, even those from your friends. Keep in mind that spam emails are a preferred method of distribution, as it allows criminals to reach a lot of potential targets with little effort.

☑ Remember to back up your vital data on the PC regularly just in case your PC does become infected and you can’t recover your files. Making a backup and you will be able to restore them easily and not have to pay for the ransom.

☑ Keep a good antivirus program on the PC. The latest version of antivirus software can effectively prevent your computer from being attacked by Zepto Ransomware or other cyber infections.

Download button

 

Attention:

The following video offers a complete guide for Zepto Ransomware removal. You’d better watch it in full-screen mode!

Share Button