Zepto virus ransomware: how to decrypt .zepto extension files

Learn a viable workaround to recover .zepto files ransomed by a new variant of the Locky crypto virus, which is currently on the rise after a lengthy halt.

Discovering that most files on a computer suddenly got a .zepto extension is a frustrating scenario. Not only does this change denote an odd file display tweak, but it also means that the machine got hit by belligerent code engaging in extortion at its worst. The recent remake of Locky, a widespread ransom Trojan that used to terrify thousands of users and organizations, is the cyber threat to blame for such a mishap. The updated edition compromises PCs by means of phishing, where interesting-looking emails serve as baited traps. If the targeted person opens a rogue invoice or other file attached to one of these incoming messages, the deployment of the ransomware in the system is a matter of seconds. The loader adds a random-named executable to the AppData path, and the offending process commences the crypto part of the assault.

The '_[random number]_HELP_instructions.bmp' image becomes the desktop background
The ‘_[random number]_HELP_instructions.bmp’ image becomes the desktop background

The Zepto malware first scans the hard drive, plugged-in media such as memory sticks, and network shares for objects whose extensions indicate whether they are personal files or operating system components. The former type of data is subject to further encoding. The ransomware uses a compound crypto routine to lock the data for good. The Advanced Encryption Standard (AES) is the first tier of encryption. It produces a secret key with the size of 128 bits.

To raise the bar of recovery even more, the malicious program then employs the RSA-2048 cipher to encrypt the AES key. Filenames undergo a change as well and transform into long strings of numbers and characters with the .zepto part instead of the original extension. This tactic enables the threat actors to stipulate stringent conditions that the victim has to meet otherwise they run the risk of losing the information.

The new format of encrypted files
The new format of encrypted files

Locky expresses these conditions in files named according to the following format: “_[random number]_HELP_instructions.html” and “_[random number]_HELP_instructions.bmp”. The victim won’t fail to observe the BMP version as it becomes the new desktop wallpaper. The HTML counterpart, in its turn, is going to be inside all folders with encrypted files. Both of them say, “All of your files are encrypted with RSA-2048 and AES-128 ciphers”. To receive the unique private key, the infected user is told to visit one of several available Tor pages listed in these ransom notes. The person will eventually navigate to the “Locky Decryptor Page” containing the Bitcoin address, to which they are supposed to send about 0.5 BTC, which roughly equals to $300. While the uncomforting option of paying the ransom may seem to be the only way out, it’s not quite so. Several other techniques proved to work rather well for recovering data locked by Zepto and similar ransom Trojans.

Automatic removal of .zepto virus

When it comes to handling infections like this one, using a reputable cleaning tool is the place to start. Sticking to this workflow ensures that every component of the adware gets found and eradicated from the affected computer.

1. Download and install the cleaning tool and click the Start Computer Scan button Download Zepto removal tool

2. The wait is worth it. Once the scan completes, you will see a report listing all malicious or potentially unwanted objects detected on your PC. Go ahead and click the Fix Threats option in order to get Zepto automatically uninstalled from your machine. The following steps are intended to restore the encrypted files.

Recover .zepto files ciphered by the ransomware

Removing the infection proper is only a part of the fix, because the seized personal information will stay encrypted regardless. Review and try the methods below to get a chance of restoring the files.

Option 1: Backups

The cloud works wonders when it comes to troubleshooting in the framework of ransomware assault. If you have been keeping data backups in a remote place, just use the respective feature accommodated by your backup provider to reinstate all encrypted items.

Option 2: Recovery tools

The research of Zepto virus reveals an important fact about the way it processes the victim’s data: it deletes the original files, and it’s actually their copies that are encrypted. In the meanwhile, it is common knowledge that anything erased from a computer doesn’t completely vanish and can be dragged out of memory via certain techniques. Recovery applications are capable of doing this, so this method is surely worth a try.

Download Data Recovery Pro

Option 3: Shadow Copies

The Windows operating system incorporates a technology referred to as the Volume Snapshot Service, or VSS, which performs files or volumes backup routine automatically. One critical prerequisite in this regard is to have the System Restore feature toggled on. In case it has been active, some data segments can be successfully recovered.

You may perform this activity with the Previous Versions functionality, which is built into the OS, or by means of special applications that will do the job automatically.

  • Previous Versions feature

    Right-click on a file and choose Properties in the context menu. Find a tab named Previous Versions and click on it to view the last automatic backup that was made. Depending on a preferred action, click Restore to get the file recovered to its original location, or click Copy and indicate a new directory. Previous Versions feature

  • Shadow Explorer applet

    It’s remarkably easy to manage Previous Versions of files and folders with automated tools like Shadow Explorer. This program is free to use. Download and install it, let it come up with a profile of the file hierarchy on the computer, and get down to the restoration proper. You can select a drive name on the list, then right-click on the files or folders to recover, and click Export to proceed. Shadow Explorer

Did the problem go away? Check and see

Computer threats like ransomware may be stealthier than you can imagine, skillfully obfuscating their components inside a compromised computer to evade removal. Therefore, by running an additional security scan you will dot the i’s and cross the t’s in terms of the cleanup.

Download Zepto scanner and remover

10 thoughts on “Zepto virus ransomware: how to decrypt .zepto extension files”

  1. If the computer was attached but nothing was encrypted but the Wallpaper on desktop was posted. How can i remove the desktop wallpaper? I have check my files and they are still in their normal state but I have removed my laptop from the LAN. How can I remove the wallpaper. I cannot find its location

    • Hamadzashe,

      Judging from your comment, some fragments of Zepto may still be on board. We recommend running a scan with the ransomware removal solution – it should undo the side effects.

  2. dear sirs

    all my documents have been blocked by xepto <<Not only those stored in my laptop but also the ones I stored in my external units…
    Can you do something

  3. How can I decrypt the file. When I have received the virus infected file from E-mail.
    I don’t have shadow copy or previous path of the file.

    How can I decrypt the file? without any loss.

    Mail me the steps if it is possible.

    • lokesh,

      please follow the workarounds in this article. Unfortunately, security experts haven’t created a viable free decryptor for .zepto files at this point.


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.