Severity scale:  

Zepto virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - -   Also known as zepto ransomware | Type: Ransomware

Zepto ransomware keeps lurking in the cyber space

Screenshot of Zepto virus ransom note and payment site

Zepto operates as an alternative version of Locky crypto-malware which has earned the title of a most destructive file-encrypting threat of 2016 [1]. It spreads via spam – more than 150,000 infected spam emails bearing the ominous attachment have been released [2]. Necurs botnet is known to facilitate the distribution network. Since then, the developers updated the virus several times: most recent versions are Lukitus and Ykcol.

Users are tricked into downloading an infected .zip or .docm attachment by tempting subject lines, such as “Please, see the attachment, “To the head of sales”, “Scanned image”, etc. Similarly to Bart ransomware, this virtual infection attempts to deceive users to execute a JavaScript file or enable macros. Once it's done, it encodes files with RSA-2048 and AES-128 ciphers. As a result, they get blocked bearing .zepto extension.

At the end of the encryption process [3], Zepto changes the desktop picture with an image that presents information about the virus and a request to pay a ransom. If this menace has befallen you, you should still remove Zepto. You might also try this free Zepto Decrypter.

Now the attention might be directed to Lukitus and Ykcol versions which hide in .7z email attachments. Though Zepto was most active in the end of 2016, even now some companies report getting infected with this version. Since the cyber criminals shuffle Locky variations, it would not be surprising if you can get infected with Zepto after opening .7z attachment.

Take into the consideration that hackers apply emotional pressure to persuade users to hurry with the payment [4]. Likewise, they succeeded in collecting more than $100,000 with the help of this ransomware. Let us assure that there are ways to complete Zepto removal. The most effective of them is to use Reimage or Malwarebytes Anti Malware

Like in the previous versions, Zepto activates via the dll file which is executed by rundll32.exe file. The latter is a legitimate system process. Likewise, it allows escape users' intervention. Just as other ransom-demanding viruses, this malware leaves ransom notes called _[2 chars]_HELP_instructions.html and _[2 chars]_HELP_instructions.txt on several folders, which hold the information about the decryption process. 

It states that there is no other way to decrypt files but to pay a ransom and receive a private key and a decryption program. We highly discourage you from purchasing the tool promoted by the perpetrators as it seems a malicious software as well. 

Instructions on how to access Zepto payment site are also provided by this virus. During the investigation process, we discovered that the payment site advertises Locky decrypter which was used by another ransomware called Locky. Now it can be purchased for 4 Bitcoins (approximately 2541 USD).

Questions about Zepto virus

Of course, you should never think of that because you can be left without both, your files and your money. To recover your data, you should remove Zepto first and then restore your files from a backup. Take a look at the ransom note: 


All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:

Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server.
To receive your private key follow one of the links:

If all of this addresses are not available, follow these steps:
1. Download and install Tor Browser:
2. After a successful installation, run the browser and wait for initialization.
3. Type in the address bar:
4. Follow the instructions on the site.

After Locky rampaged on the virtual world for a couple of months, soon afterward, the cyber campaign of Zepto was launched. It reached its peak in July. Ordinary and corporate users all around the world were assaulted by this cyber menace. Thus, even if you reside in Sweden[5], which is regarded as the country with the lowest malware rate, stay vigilant.

As previously mentioned, the threat employs swift [XXX|XXXX].js file for a disguise. By pretending to be a financial report or invoice, it captures victims' attention. Opening the attachment enables Zepto to start its mischief in thousands of computers. After sending HTTP GET requests, the threat is able to get important information about victims computers. This also enables it to infect the bigger amount of computers.

By planting its wscript.exe executable [6] among the registry files, the ransomware keeps the device in its claws even if you reboot it. Moreover, the virus has been updated to such extent that even Windows Defender fails to block it. Therefore, it is of crucial importance that your security applications are updated daily.

Moreover, ODIN ransomware appeared as a backup to the original version of the threat. It seems that the felons do not intend to step aside.

The malware gets updated

Even though many new variants of the Locky have recently appeared, Zepto stays active and still uses various infiltration techniques to infect computers all over the world. It reached its highest 150% activity rate in July up to September last year.

Nonetheless, since then, though the spam campaign of this particular version subsided slightly, IT specialists spot its variations once in a while. The recent Zepto version disguised under luainstall.dll file. It also disguised under UFDFcTFN2.dll.3904.dr, LPwBHJjO2.dll. nvFjEHFele2.dllCrTqhHDO3.dll,  BsTVXmdKk1.dll. 3_FILE.exe, or oqmCxkcjyFG1.dll.[7].

Malware actively targets European countries, the United States, South America, and East Asian regions. Lately, virus researchers spotted that Locky ransomware, as well as its newest version – .aesir file extension virus, stepped in Facebook. Malware started spreading via Facebook’s messages by sending malicious SVG image file. Victims, who clicked on it, were redirected to a suspicious domain that looked like YouTube.

However, they were asked to install the plugin to play the video. This bogus plugin is Nemucod Trojan which is responsible for activating malware on the affected computer. Malware analysts expect Zepto to spread on Facebook or other social networks as well. Therefore, chances to encounter this cyber menace remain high. The only free and safe data recovery solution is backups.

A glimpse to the original Locky

Locky virus was first detected in the beginning of February. Since then, it has been updated for several times. It is believed that the most of its updates were introduced for making the decryption tools, that are typically presented by security firms, useless. However, hackers have also improved the protection of their identity, increased the amount of its ransom and improved virus ability to block anti-spyware software.

Zepto is not as advanced as its previous version. However, security experts have already started making the virus decryption tool which should be quite similar to Locky decrypter and should show up anytime soon. This virus was, and still is, one of the most powerful ransomware variants and none of the malware researchers attempts’ to create a decryption tool for it were successful.

Unfortunately, it seems that these cybercriminals know what they are doing, and they do take advantage of their programming skills because their malicious programs appear to be uncrackable. If you are reading this article and your computer is not infected yet, please follow these rules to protect your computer from this ransomware and avoid a need to deal with Zepto removal:

  • Install an anti-malware software on your computer to keep it protected from malicious viruses;
  • Keep all your software up-to-date. Our tip is to enable automatic updates;
  • BACK UP your files. In fact, this is the only way to secure your data from encryption. You have to create file copies and save them on a removable storage drive, and then unplug it from your computer. You can use backups in case your computer gets hit by a ransomware;
  • Never open suspicious emails or files attached to them! Cyber criminals distribute this virus by sending deceptive letters to thousands of email accounts, claiming that they are delivering invoice, phone bill, speeding ticket, CV, or a similar document.

Distribution strategy remains the same

As we have already mentioned, authors of this virus create fake email accounts and send officially-looking files, usually Word documents. Typically, these crooks insert malicious codes into a .zip and .docm files which are named using tricky titles.

Such malicious code can be activated via Word Macros function or by launching JavaScript file, so make sure you don’t do that in case you see a scrambled text after opening Word document that you have received via email.

Criminals also send JS files, which can be activated just by opening them. In addition, though such method is not widely practiced, but beware of exploit kits. They might be trojans, rogue malware or any malignant files.

By passing themselves off as legitimate files they might slip into the system and then launch Zepto when the time comes. In order to decrease the possibility of such malware attack, do not forget to update your security applications daily.

In general, we recommend you to avoid clicking or opening any kind of content online if you are not sure if it is secure. Cyber criminals use numerous techniques to deceive computer users, and it can be hard to keep up with the news and know all sources of infection.

We advise you to protect your computer with anti-malware software, backup your data, and refrain from opening emails sent from strangers. For more information about ceasing Zepto hijack, take a look at this article – How to protect your computer from Locky? 5 tips for taking control.

Terminate Zepto and attempt to restore your encrypted data

Zepto removal is a complicated process, and you should NOT try to delete its components on your own. Even qualified malware researchers find it difficult to eliminate this piece of malware, so we advise you to choose a reliable malware removal tool (for instance, Reimage or Malwarebytes Anti Malware) that was designed by advanced malware researchers and can help you remove Zepto automatically.

There is no doubt that this hideous infection will try to stop you from doing that, so please carry out these instructions to run an anti-malware program.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Zepto virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Zepto virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove Zepto virus, follow these steps:

Remove Zepto using Safe Mode with Networking

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Zepto

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Zepto removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Zepto using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Zepto. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Zepto removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Zepto from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Zepto, you can use several methods to restore them:

Use Data Recovery Pro to recover your files encrypted by Zepto

Originally, Data Recovery Pro was created to retrieve the files after an unexpected system crash or simply after the careless elimination of the files. However, you can also try using it to recover your important files.

Rely on Windows Previous Versions functionality to recover files affected by Zepto

You should be able to recover the data using Windows Previous Versions feature if the System Restore was enabled on your computer. For that, use the following guide: 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Shadow Explorer to decrypt encrypted files

One of the main features of Locky and its “cousin” Zepto, which helped it to retain the title among ransomware threats, is its ability to locate and delete the volume shadow copies. They are automatically created by the operating system in case a system is crashed unexpectedly. However, you should still try to recover your files encrypted by Zepto with the help of these steps:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Zepto Decrypter

You might launch this utility to decode the files affected by Zepto.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Zepto and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions


Removal guides in other languages