ZEPTO Ransomware Investigation

ZEPTO Ransomware Investigation

Earlier this month we received a phone call from one of our customers requesting assistance restoring files to their file server.  We asked “what happened?”, to which the customer replied “ ransomware”.

We quickly went onsite to assess the situation and assist with the recovery.
Once onsite, we learned that an employee had clicked on what was perceived to be a legitimate email with an invoice attachment.  That, in turn, installed ransomware onto the host workstation.  [Ransomware will seek out files on the host system, network mapped drives and shares to encrypt].
In this case, the infected workstation and file server were affected resulting in all files (.docx, .pdf, xlsx., pptx, etc) encrypted and renamed with a new extension .ZEPTO.

The customer was very lucky to have caught this relatively early.  An employee discovered the ransomware after unsuccessful attempts to access certain files on the file server.  By that time, ransomware had only encrypted 20,000 files on the file server which was about 20% of the data.
After disconnecting the infected host workstation, the propagation was contained.
** As a best practice it is recommended to disable all backups and syncing of files after ransomware is discovered.  This will prevent overwriting of good backups with encrypted ransomware files.

The backup files from the previous day were unaffected by the ransomware.

There are a few ways to restore data after a ransomware incident, and some things you might want to do. Instead of just deleting the encrypted files, you may want to copy the data files to an external device for evidence. After the original data has been copied and preserved we can:

1. Restore to the original location – this will restore and overwrite any existing files with the same name
2. Restore to alternative location – this will restore selected files to a location of your choice

Note, ransomware is not a virus, it simply encrypts files making them inaccessible without a decryption key.
After files have been restored to the original location, searching for and removing the .ZEPTO files is easy.