Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Operation Global III ransomware not only encrypts, but infects your data as well


  • Please log in to reply
82 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:04 PM

Posted 09 December 2014 - 05:15 PM

The Operation Global III ransomware is a computer infection that encrypts the data and executables on your computer so that they cannot be opened unless you pay a ransom. The current ransom for this infection is approximately $250 USD and must be paid with bitcoins. This particular ransomware is in some ways very basic, but includes new functionality that makes it more dangerous than previous ransomware infections. This is because not only does the Operation Global III ransomware encrypt your files, but it displays a lock screen that blocks you from using your computer till you pay the ransom, and also acts like a virus that infects your files with malicious code to spread to other computers. Thankfully, a decryption tool was able to be made, which is discussed at the end of this article.
 

operation-global-iii-ransomware.jpg


When the ransomware is started it will display the above lockscreen so that you cant use your computer. It will also change your encrypted files extensions to .EXE and then infect them with malicious code that allows it to spread to other computers when the files are opened. If one of these files is then double-clicked it will launch the encrypter and encrypt and infect any new files. If one of these files is double-clicked on a previously unaffected computer, then this computer will become encrypted and infected as well.

Potentially the most dangerous feature of this ransomware is that it will look for unmounted network shares and mount them as a drive letter on your computer. It will then proceed to encrypt and infect the files found on these network shares as well. All previous ransomware infections would only target drive letters on the existing computer and would ignore unmapped network shares. Operation Global III on the other hands raises the ante by going after all network shares and infecting any files or executables it finds on them. As Windows by default does not display file extensions, someone on another computer would open one of these files not realizing that they are executables and then their computer would become infected as well.

The good news is that the decryption key for each file is stored inside the encrypted file. This allowed Nathan Scott, aka DecrypterFixer, to create a program that patched the virus/ransomware so that you can decrypt your files for free. After using his tool when you double-click on a file, instead of encrypting other files, it would decrypt it. Nathan has put together a YouTube video that describes how to use his patcher to disable the encryption routine and allow you to decrypt your files. This video can be found below.
 

http://youtu.be/1M5IEW5_Ydw


To summarize the above vide, in order to use his tool to decrypt your files you must keep the malware active and running on your computer. While the screenlocker is open you can still Alt+Tab to the desktop in order to access your applications. Once at your desktop, start a web browser and download the Operation Global III Ransomware Patcher and save it to your desktop. Once it is downloaded, double-click on the program and you will see the patcher as shown below.
 

operation-global-iii-patcher.jpg


To patch the malware so you can decrypt your files, please click on the Patch button. The patcher will patch the ransomware program and automatically minimize the lock screen. You can then double-click on your affected files to decrypt them.

Unfortunately, the routine used by Operation Global III to infect executables is buggy and when you decrypt them they may no longer work. Therefore you will need to reinstall many of the applications that were infected. With this said, it is strongly advised that you reinstall Windows and all of your applications after you recover your data files. This will guarantee that your computer is working properly again.


BC AdBot (Login to Remove)

 


m

#2 rp88

rp88

  • Members
  • 2,788 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:04 PM

Posted 10 December 2014 - 10:28 AM

Clear proof, always backup to unconnected drives, send your data to a usb or via a browser interface into the cloud then put the usb in a safe several metres from the nearest computer and logout of your cloud account. This really is one hell of a nasty type of attack.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#3 ITWebGuy

ITWebGuy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:04 PM

Posted 10 December 2014 - 11:37 AM

Can we convince the developer to automatically search for and decrypt any affected files?

As a Antivirus Help Desk tech, we run into a liability risk by having to browser a customers files and customers are not savvy enough to do this on their own.

Just a suggestion.

 

Your friendly neighborhood tech,

 

RC



#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:04 PM

Posted 10 December 2014 - 12:13 PM

*sigh* Never running out of ideas to part people of their money, aren't they? These bastards...

Kudos to Nathan for the patcher!

#5 David Feller

David Feller

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 10 December 2014 - 12:37 PM

Does this topic or solution relate to our files that are now encrypted.  The extension is .dofmtjg.  The PC is becoming unusable and I fear that we have just lost all of our data.  Thank you. 



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:04 PM

Posted 10 December 2014 - 12:46 PM

Does this topic or solution relate to our files that are now encrypted.  The extension is .dofmtjg.  The PC is becoming unusable and I fear that we have just lost all of our data.  Thank you.


If you PM me the ransom note and links inside it, I can take a look. May be CTB Locker.

You can pm me here: http://www.bleepingcomputer.com/forums/index.php?app=members&module=messaging&section=send&do=form&fromMemberID=3

#7 rmelv7

rmelv7

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 18 January 2015 - 07:31 PM

Hi,

 

A customer I look after managed to get this, and without proper backups (don't ask), we are stuck.

 

We have got the Australian version of this more or less and it seems that sadly the patch tool will not work as it says.

 

"The infection exe could not be found". This is while I can see it running in the background, I can also see the exe in the file system as well.

 

I can upload, the infected exe, a infected file and the file list as well.



#8 albert23

albert23

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 AM

Posted 30 January 2015 - 12:18 AM

We have got the Australian version of this more or less and it seems that sadly the patch tool will not work as it says.

 

 

I have got the 'Australian' version as well (with the AU flag on the screenlocker). Did you manage to get the files restored?

I'm going to try this tomorrow at the clients premise. Fingers crossed I guess.



#9 albert23

albert23

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 AM

Posted 30 January 2015 - 12:20 AM

20150127_074455.jpg



#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:04 PM

Posted 30 January 2015 - 10:09 AM

If you can send me one of your encrypted files, we can take a look for you.

http://www.bleepingcomputer.com/submit-malware.php?channel=3

#11 albert23

albert23

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 AM

Posted 30 January 2015 - 06:30 PM

I am trying to upload one of the files, but I'm getting an access denied message, saying I don't have permissions to open the file.

I have changed the security properties to Full Access and have taken ownership of the file I'm trying to send, but am still getting the same message.

 

Any ideas?



#12 albert23

albert23

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 AM

Posted 30 January 2015 - 07:36 PM

I managed to submit one of the infected .jpg files.

Some more info: when I try to run the patcher from this article, it throw and 'unhandled exception' error and terminates.

 

The infection is on a Windows 7 Pro x64 machine.

 

Thanks in advance for your time and effort. I want to mention at this stage that I am more than happy to re-imburse you for your time and effort if a suitable solution can be provided.



#13 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:04 PM

Posted 30 January 2015 - 07:50 PM

I need the infection EXE ASAP to make a new patcher. Thanks.


Have you performed a routine backup today?

#14 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:04 PM

Posted 30 January 2015 - 08:16 PM

AU Version Decrypter

 

Okay so with the AU version, it cannot detect the virus itself, so you will ned to be sure the virus is up and running yourself.

 

The Decrypter EXE name is explorer.exe when you download it, leave the name as is! This allows it to run while the virus is running!

 

Also, when u try to run it, the virus will try and close the UAC prompt before you can click yes, simply use the arrows of ur key board and enter, or just be quick.

 

After this simply follow instructions.

 

I understand this is quite crude, but its all i have time for at the moment, Sorry.

 

 

AU OG3 Decrypter Link:

http://ransomwareanalysis.com/explorer.exe


Have you performed a routine backup today?

#15 albert23

albert23

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:04 AM

Posted 30 January 2015 - 09:28 PM

Thanks very much for the very quick responses Nathan.

I have tried the new patcher; I can run it without issues with the virus active and the lock screen showing. When I click the patch button, after a few seconds I get the message that the virus screen should have disappeared, but unfortunately it is still there. I've tried a couple of times, but the virus stays active after patching.

 

Appreciate any feedback you might have.

 

Thanks,






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users