Amongst a bevy of attributes exhibited by every sample of data-encrypting ransomware, the structure and text of warning messages are like fingerprints. Some of these infections try to intimidate people through blatant misinformation and exaggeration, for instance, stating that one’s files are locked with a stronger cryptosystem than it actually is. In the case of the Locky ransom Trojan and its version called Zepto, though, the warning accurately expresses the real state of things.
When a Windows user gets his or her desktop background replaced with an alert that says, “All of your files are encrypted with RSA-2048 and AES-128 ciphers,” this statement is unfortunately true. The one undoubted thing that these adverse circumstances indicate is an attack by a piece of ransomware dubbed Locky, or its newly released edition known as Zepto. The aftermath of such a breach is as follows: all personal files get encoded and the corresponding filenames get scrambled as well. Every affected entity will also have an appendix, either .locky or .zepto, that’s unique to this extortion campaign. Ultimately, the victims are unable to access their valuable data, nor can they install any third-party software capable of handling this task.
The way this particular malware artifact infiltrates computers is kind of interesting; at least, it leverages a social engineering methodology that’s not very widespread. At the first stage of the hoax, a potential victim receives a spam message over email that looks personalized as it typically addresses them by name and thus, obviously, evokes trust from the beginning. The file attached to this email is most likely a Microsoft Word document in Docm format. When opened, this file prompts the user to activate macros, and if this happens the malicious executable is loaded onto the system and instantly launched with high privileges. The ransomware then traverses the hard drive and network shares in search of data, focusing on files with specific extensions that correspond to popular formats.
When a random personal file is detected, what happens is the offending code encrypts it with a 128-bit AES key. Since this cryptosystem can be cracked with some forensic effort, the criminals behind Zepto and Locky went further and enhanced the lockup effect by additionally encrypting the AES key with RSA crypto, which is asymmetric and impossible to circumvent. The private RSA key is stored offsite, so the contaminated computer does not interact with it in any way. As mentioned above, filenames turn into bizarre hexadecimal strings appended with a new extension.
As soon as the scrambling has been done, the ransom Trojan suggests the user to open recovery instructions, which may be titled “_HELP_instructions.html (.txt, .bmp)” or “_Locky_recover_instructions.html (.txt, .bmp)”. Along with the part that reads, “All of your files are encrypted with RSA-2048 and AES-128 ciphers,” these ransom notes also recommend the victim to navigate to a Tor domain named “Locky Decryptor Page”. This page contains information on the ransom size (usually 0.5 BTC, or approximately 300 USD), the Bitcoin address to send it, and a field for the automatic decryptor download link that will allegedly become available after the payment.
Here are some important facts about this strain: first of all, it cannot be decrypted for free – researchers are still working hard on this; secondly, sending the ransom to the bad guys is not recommended – it will keep their business going and there’s no certainty that the decryption will take place afterward as promised. Whereas it’s not feasible to get around the crypto facet of the Trojan, a couple of alternate techniques can help recover the versions of files backed up by the operating system prior to the attack.
Automatic removal of Locky and Zepto viruses
Extermination of this ransomware can be efficiently accomplished with reliable security software. Sticking to the automatic cleanup technique ensures that all components of the infection get thoroughly wiped from your system.
1. Download recommended security utility and get your PC checked for malicious objects by selecting the Start Computer Scan option
2. The scan will come up with a list of detected items. Click Fix Threats to get the virus and related infections removed from your system. Completing this phase of the cleanup process is most likely to lead to complete eradication of the plague proper. Now you are facing a bigger challenge – try and get your data back.
Methods to restore files encrypted by this ransomware
Workaround 1: Use file recovery software
It’s important to know that the Locky virus and its spinoffs create copies of your files and encrypts them. In the meanwhile, the original files get deleted. There are applications out there that can restore the removed data. You can utilize tools like Data Recovery Pro for this purpose. The newest version of the ransomware under consideration tends to apply secure deletion with several overwrites, but in any case this method is worth a try.
Workaround 2: Make use of backups
First and foremost, this is a great way of recovering your files. It’s only applicable, though, if you have been backing up the information stored on your machine. If so, do not fail to benefit from your forethought.
Workaround 3: Use Shadow Volume Copies
In case you didn’t know, the operating system creates so-called Shadow Volume Copies of every file as long as System Restore is activated on the computer. As restore points are created at specified intervals, snapshots of files as they appear at that moment are generated as well. Be advised this method does not ensure the recovery of the latest versions of your files. It’s certainly worth a shot though. This workflow is doable in two ways: manually and through the use of an automatic solution. Let’s first take a look at the manual process.
- Use the Previous Versions feature
The Windows OS provides a built-in option of recovering previous versions of files. It can also be applied to folders. Just right-click on a file or folder, select Properties and hit the tab named Previous Versions. Within the versions area, you will see the list of backed up copies of the file / folder, with the respective time and date indication. Select the latest entry and click Copy if you wish to restore the object to a new location that you can specify. If you click the Restore button, the item will be restored to its original location.
- Apply Shadow Explorer tool
This workflow allows restoring previous versions of files and folders in an automatic mode rather than by hand. To do this, download and install the Shadow Explorer application. After you run it, select the drive name and the date that the file versions were created. Right-click on the folder or file of interest and select the Export option. Then simply specify the location to which the data should be restored.
Verify whether the virus has been completely removed
Again, Locky or Zepto ransomware removal alone does not lead to the decryption of your personal files. The data restore methods highlighted above may or may not do the trick, but the ransomware itself does not belong inside your computer. Incidentally, it often comes with other malware, which is why it definitely makes sense to repeatedly scan the system with automatic security software in order to make sure no harmful remnants of this virus and associated threats are left inside Windows Registry and other locations.