Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Globe Ransomware Help and Support - Purge Extension & How to restore files.hta


  • Please log in to reply
430 replies to this topic

#1 Akivaido

Akivaido

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 23 August 2016 - 02:52 AM

This ransomware can be decrypted by these two tools:
https://decrypter.emsisoft.com/globe 
https://decrypter.emsisoft.com/globe2

Please try both tools. If you have any issues, please email support@emsisoft.com or post here.

 

 
 
Hey guys a comuter of my client got hitted again by:
after he got hitted by: http://www.bleepingcomputer.com/forums/t/620178/cryptxxx-and-locky/#entry4043403 (we took out the hdd if there will be any solution and we installed the computer in a new hard drive, we also put kasparsky small office security 4)
after we got hitted by this ransomware we talked with kasparsky israel, and they told us that it's  a new Ransomware, and we probably got it from an Email.
 
This is the ransomware Email and .exe:
.url.powerbase@tutanota.com .purge
Not all the files encrypted by now but after every resatart we cans notice that more files getting encrypted. Ransom note is HTML application "How to resotre your file.hta
 
ID Ransomware cannot determine the ransom I uploaded a sample file and a ransom note.
84eff39a5d54ffd90551003420a1498cc29453dd[/size]
I will also upload an ecrypted file to http://www.bleepingcomputer.com/submit-malware.php
What should I do now? should I keep my computer turned off?
 
Thanks everyone for the help.


Edited by xXToffeeXx, 30 December 2016 - 05:36 PM.


BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:47 PM

Posted 23 August 2016 - 07:20 AM

I've been hunting for a sample of this ransomware. If you have the exe that caused the encryption, we would really like it for analysis. Can you please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168. Please leave an email address so we can contact you.


Edited by xXToffeeXx, 04 November 2016 - 04:11 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:47 PM

Posted 23 August 2016 - 09:48 AM

We've acquired a sample of this ransomware, and it is currently under analysis.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 01004753

01004753

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 11 September 2016 - 06:42 PM

Hi guys,

I basically found the script kiddie who encrypted my files logged in with my lab domain admin. He was uninstalling NOD Antivirus and he had the keyboard layout in Russian.

I immediately scanned my computer and found the malware but removed it. Didn't know it was ransomware :(

 

My encrypted files look like this: IFjbv3jPAT9lJW2S8vSKevu1CY3ayN08+-co5kGZ7DHuhIfi07k9-0.globe and in the same folder I have a How to restore files.hta file.

 

Thanks



#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:47 PM

Posted 11 September 2016 - 06:51 PM

There may be a chance of decrypting this one, it is still under analysis right now. Fabian is a busy ransomware-cracking fool of a man. :)

Do the logs from the removal tool(s) you used include hashes of what was removed? We can use that to lookup if it is in any database for retrieving a sample. Or if you can restore it from quarantine and upload it to VirusTotal.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 01004753

01004753

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 11 September 2016 - 07:33 PM

It might seem funny, but Windows Defender (Windows 10) found the threat as Hacktool:Win32/Patcher with file:C:\TEMP\xFz0u3ezxnxrKXSw.globe

I found numerous Impersonating Logins with Source Network Address at 141.28.105.78 that might be the malware's call-home.

I also found some Impersonating Logins with Source Network Address at 37.79.250.26 and computername HOME-ПК (HOME-PC in Russian) so this can actually be the attacker's "HQ" :)



#7 01004753

01004753

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 11 September 2016 - 08:04 PM

I also found with Mark's (May your wishes come true!!) Autoruns, trust.exe in Registry Run (or RunOnce, don't remember. I've been awake for too much time) and I saved it.

The file can be downloaded from https://dl.dropboxusercontent.com/u/28038542/trust.exe and the VirusTotal analysis is here https://virustotal.com/en/file/f365425e42fc2fa4c0eac4a484ca9f8ef15d810de6a097ac8b071a13e803e117/analysis/1473641851/


Edited by 01004753, 11 September 2016 - 08:09 PM.


#8 computerguy12345

computerguy12345

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 12 September 2016 - 07:07 AM

Hey, we were hit with this over the weekend also.

 

Are there any advancements to this? Is there anything we can do to help with the analysis? I cannot locate the exe and assume it no longer exists on our server.



#9 Squall6423

Squall6423

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 20 September 2016 - 08:23 PM

Hi Everyone,

 

My PC infected by Globe Ransomware and all files has been encrypted. Could anyone help on how to decrypt/recover all the files? I did submitted sample and waiting for solution.       

 

My encrypted files look like this : Ki1JZ9yYmmDrMoPXwWcvmP2iSvmr.blt and in the same folder I have a How to restore files.hta file.

 

Thank you very much


Edited by xXToffeeXx, 04 November 2016 - 04:12 AM.


#10 ozzymandias

ozzymandias

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 21 September 2016 - 07:16 AM

Hello

Sorry for my English primary. It was also affected by the Globe.
I'll level up one blt file and the original for comparison.

I even use one based on another ramsoware decrypt without success with the original file x affected file)


Edited by ozzymandias, 21 September 2016 - 07:17 AM.


#11 fernandom

fernandom

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 30 September 2016 - 08:36 AM

Trend Micro's decryptor just received an update that supports Globe. Have a look:

 

https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221

 

I've also updated the "Ransomware Overview" spreadsheet: https://goo.gl/b9R8DE

 

Thanks,

Fernando


Edited by fernandom, 30 September 2016 - 08:37 AM.


#12 spacapan

spacapan

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 02 October 2016 - 11:01 AM

Trend Micro's decryptor just received an update that supports Globe. Have a look:

 

https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221

 

I've also updated the "Ransomware Overview" spreadsheet: https://goo.gl/b9R8DE

 

Thanks,

Fernando

 

unfortunately, their decryptor doesn't decrypt .gsupport variant of globe cryptobvirus... at least it failed on files, that were encrypted at my collegue yesterday.... ;/



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:47 PM

Posted 02 October 2016 - 11:07 AM

Fabian also released a decrypter for a few variants, including .globe and .purge. I'm sure more will come.

https://twitter.com/fwosar/status/782330606961233923

@spacapan
If you can acquire a sample of the malware that caused the encryption, we will need it for analysis. You may submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168Please leave an email address so we can contact you.


Edited by xXToffeeXx, 04 November 2016 - 04:12 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 spacapan

spacapan

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:47 PM

Posted 02 October 2016 - 11:26 AM

Fabian also released a decrypter for a few variants, including .globe and .purge. I'm sure more will come.

https://twitter.com/fwosar/status/782330606961233923

@spacapan
If you can acquire a sample of the malware that caused the encryption, we will need it for analysis. You may submit malicious files here: http://www.bleepingcomputer.com/submit-malware.php?channel=168Please leave an email address so we can contact you.

 

ok, i am uploading encrypted file, I can include normal file as well. If that is what you need?


Edited by xXToffeeXx, 04 November 2016 - 04:12 AM.


#15 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:47 PM

Posted 02 October 2016 - 11:43 AM

No, we need the executable, the virus itself so it can be analyzed. I already have the encrypted files you and others have submitted to ID Ransomware.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users