Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with a Ransomware .GSupport encrypted extension


  • This topic is locked This topic is locked
10 replies to this topic

#1 msmarcal

msmarcal

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 30 September 2016 - 11:39 AM

This ransomware can be decrypted using this decrypter: https://decrypter.emsisoft.com/globe2

 

 

 

Our server was infected by a Ransomware that appends .GSupport to encrypted files. 

 

It was dropped a file named "Important Information.hta" giving instructions


Edited by xXToffeeXx, 30 October 2016 - 10:28 AM.


BC AdBot (Login to Remove)

 


#2 opera

opera

  • Members
  • 1,032 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:27 AM

Posted 30 September 2016 - 01:48 PM

Go here to identify your ransomware and post back with the id number and info it gives

 

https://id-ransomware.malwarehunterteam.com/



#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 30 September 2016 - 02:10 PM

This looks to be a new variant of Globe based on the ransom note (even has in the title) and way it renames files.

 

We will need a sample of the malware to analyze. Trend Micro did recently release a decrypter for some variants of Globe, it may be worth trying.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 msmarcal

msmarcal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 30 September 2016 - 02:56 PM

Hi, thanks.

 

https://id-ransomware.malwarehunterteam.com/ has return as Globe.



#5 msmarcal

msmarcal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 30 September 2016 - 03:14 PM

Trend micro tool couldn't decrypt.

 

Any idea?



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 30 September 2016 - 03:27 PM

In that case, we'll need a sample of the malware that caused the encryption to analyze. We can pass it on to the developer at Trend Micro to see if they can update the tool if you are able to acquire it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 msmarcal

msmarcal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 30 September 2016 - 04:28 PM

In that case, we'll need a sample of the malware that caused the encryption to analyze. We can pass it on to the developer at Trend Micro to see if they can update the tool if you are able to acquire it.

 

How I can send you sample file?

 

I couldn't find a way to upload it here



#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,591 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:27 AM

Posted 30 September 2016 - 04:30 PM

If you have the malware itself (we don't need the encrypted files or ransom note at this point), you may submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168. Please leave an email address for contact if you submit a file.


Edited by xXToffeeXx, 30 October 2016 - 10:27 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 msmarcal

msmarcal
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 30 September 2016 - 04:33 PM

Thanks,

 

I'll search if I can find it on infected server



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,087 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:27 AM

Posted 01 October 2016 - 06:19 AM

Since this is related to Globe, rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,087 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:10:27 AM

Posted 12 October 2016 - 01:08 PM

This ransomware can be decrypted using this decrypter: https://decrypter.emsisoft.com/globe2


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users