# samba file sharing  virus zepto



## oistha (Jul 13, 2016)

Help me please,

fFile server freebsd FreeBSD use samba has virus zepto extension in Excel file.


----------



## Murph (Jul 13, 2016)

oistha said:


> Help me please,
> 
> file server freebsd   use samba has virus zepto extension in excel file


Sounds like some sort of Windows malware.  Not really a FreeBSD problem as such, and shouldn't be a problem for FreeBSD itself (no promises or guarantees about that, however).  I guess one of your Windows client systems is infected and dumped a load of crap on the server via SMB.

From a FreeBSD point of view, just delete them, probably (but don't take my word for it and then be unhappy if something important gets lost — I can't see what is in those files, I don't know your server or network).  If the malware has encrypted everything on the Samba share, you may need to restore from backups.

From a Windows point of view, some of the Google hits suggested it could be some sort of ransomware encryption criminal extortion nonsense.  So, just deleting them will lose whatever is inside them.  You may need to restore from backups.

A forum dedicated to malware removal is probably the better place to seek advice on how to recover from that on the Windows side of things.  Beware of the fake/scam virus removal sites/forums/companies; they are pretty much just as bad as the people behind the viruses.

N.B. You (or your company, or someone on your network) are very likely the victim of a crime.  The nature of the crime classifies it in my mind as something which may even come under some of the severe organised crime laws.  It certainly would be a crime under many of the world's computer crime laws.  In the UK, for example, that may qualify for up to 10 years imprisonment, if memory serves, under §3 of the act, possibly more if considered as one of several offences likely committed.  You may wish to involve law enforcement, although I doubt that they would be able to give you any real practical help with your data.  Probably computer crime (for the unauthorised modification of data), fraud (for the intentionally misleading email that delivered it), and extortion (for the ransom demand under duress).  If you want to involve law enforcement, don't delete anything, or otherwise do something which could destroy evidence; before speaking to them about preservation of evidence.


----------



## fossette (Jul 16, 2016)

A Windows computer on your network seems to be infected by the Locky Ransomware.  More details about this infection can be found here:
http://www.bleepingcomputer.com/virus-removal/locky-ransomware-information-help

It is generally agreed on that restoring from backups is the best solution, and for the infected computer, have it cleaned up to make sure no trojan remains and infects again.  Do you have a good Windows anti-virus installed on all those Windows computers?

If some files are not backed up, there is currently no known way to recover from the encrypted files yet.  It is recommended to keep those .zepto files on a separate media until security experts crack this particular version of the ransomware.  It may take months and years, so patience is needed.  The above link is an excellent reference for you to be kept up to date.

I certainly DO NOT RECOMMEND to pay any ransom as there are no guaranty that the criminals who infected your computer will give the code to get your files back.

Dominique.


----------



## fossette (Jul 21, 2016)

Oistha hasn't told us if a full backup was made before the infection.  Ransomware usually erase the Windows' Volume Shadow Service (VSS), so no 100% guarantee indeed, but good to check VSS on the infected Windows computers, or if duplicates of the files can be found on other unaffected computers.  For obvious reasons, this technique is not applicable to files on a Samba server, although ZFS snapshots could be of great help if enabled.


----------



## SirDice (Aug 2, 2016)

As has been said, use a proper virusscanner to get rid of it. There's no danger to FreeBSD and this issue is really a Windows issue.

I'm going to close this thread. It's attracting a lot of clickbait.


----------

