Jump to content

Recommended Posts

  • Administrators

Files with the .zepto extension were encrypted by Filecoder.Locky. With ESET Smart Security v8 / v9 or ESET Endpoint Security v6 installed and all protection features enabled, the chances of getting infected should be very slim.

Link to post
Share on other sites

We have Eset Nod32 ver 9 installed on our companies PC and two PC had zepto files in various directories. 344 files were switched to zepto in a two minute period on July 5. No indication from Nod32 that there was an issue. We can manually scan the zepto file and Eset finds nothing wrong. Shouldn't the fact that a file has a .zepto extension tip off the ant virus software that there is an issue?

Link to post
Share on other sites
  • Administrators

Shouldn't the fact that a file has a .zepto extension tip off the ant virus software that there is an issue?

 

Files with the .zepto extension are encrypted legitimate files and thus are not subject to detection.

Link to post
Share on other sites
  • 3 weeks later...

We've just been hit with .zepto today and it's encrypted all our network drives. We'll have to restore from backup.

 

turbis.exe looks like the suspect .exe but I'm currently struggling to get access to t, even with icacls or takeown.

Link to post
Share on other sites

Yes, I've found the cause. The dropped .exe (turbis.exe) is currently detected by 2/52 at VirusTotal, and the offending email attachment (a .docm) is being detected by 12/52 at VirusTotal. ESET isn't detecting anything in either file.

 

 

 

Jim

Link to post
Share on other sites
  • Administrators

Yes, I've found the cause. The dropped .exe (turbis.exe) is currently detected by 2/52 at VirusTotal, and the offending email attachment (a .docm) is being detected by 12/52 at VirusTotal. ESET isn't detecting anything in either file.

 

Please pm me the links to VirusTotal scan results. Also you should know that:

1, VirusTotal does not say anything about whether a file is malicious or clean, functional or non-functional - it merely shows which vendor detects it and it rather helps users to find out if the file is suspicious enough to be temporarily renamed at least before re-scanning it at a later time.

2, VirusTotal does not say anything about whether a file is blocked by LiveGrid or other protection mechanisms.

3, It takes even several hours for VirusTotal to scan files with the latest signature database after it's been released.

Link to post
Share on other sites
  • 2 weeks later...

Yesterday a friend of mine had his Windows 10 laptop infected with Zepto. This thing is so nasty and I cannot open the files with any type of program. Then I read a post saying they were encrypted and it would take a lot of time even for powerful PCs to decode this. So I found a security forum (sensorstechforum) claiming data recovery software might help with at least some of the files if you havent reformatted Windows. What do you think?

Link to post
Share on other sites
  • 2 weeks later...
  • Former ESET Employees

Hello IT Alex,

Currently, if you're using the latest version of ESET Products and have settings configured at the recommended level (Live Grid, Advanced Memory Scanner, Advanced Heuristics on File Execution) then ESET will be extremely effective at blocking Filecoder-Ransomware type infections. 

To answer your specific question, we currently have multiple signatures for Filecoder variants that use the .zepto extension. However, keep in mind that new variants are released daily, which is why it is so important to use recommended settings and not unnecessarily disable recommended protections, such as Live Grid.

 

Best,

EricJ

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...