Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GLOBE Variant - RAID10 files?


  • Please log in to reply
9 replies to this topic

#1 TomDN

TomDN

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 06 October 2016 - 05:18 AM

I'm currently trying to rid a school network of some ransomware but so far neither Trend nor https://id-ransomware.malwarehunterteam.com/identify.php can detect it.

 

SHA1 for uploaded file - a857f5d6cb2169bc438bfd05653c5aa18fa305eb

 

The ransom note is the same name as Globe's "Important Information.hta" and the format is very similar.

 

So far its seemed to propagate mainly via Roaming Profiles used by the Teachers and Admin staff.

 

Any help would be much appreciated!

 

 



BC AdBot (Login to Remove)

 


#2 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:23 AM

Posted 06 October 2016 - 05:48 AM

What file extension is used? Is the ID in the ransom note split into multiple lines or one long line?
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#3 TomDN

TomDN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 06 October 2016 - 05:56 AM

.RAID10. Multiple lines. Screenshot if it helps!

 

Information.png


Edited by TomDN, 06 October 2016 - 06:07 AM.


#4 TomDN

TomDN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 06 October 2016 - 06:29 AM

I've found these files with times close to the infection:

 

User/AppData/Roaming/

 

Winsows.Intensions.exe

Winsows.Intensions.config

 

Imminent/Path.dat 

 

LocalDB/systemupdater.exe

LocalDB/klg_61804428bbf843******************.dat

 

Some seem to be related to Trojan.StolenData?


Edited by TomDN, 06 October 2016 - 06:29 AM.


#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,536 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:23 PM

Posted 06 October 2016 - 10:25 AM

Looks like it could the files. Can you submit them here:

http://www.bleepingcomputer.com/submit-malware.php?channel=168

Thanks!

#6 TomDN

TomDN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 07 October 2016 - 03:19 AM

Looks like it could the files. Can you submit them here:

http://www.bleepingcomputer.com/submit-malware.php?channel=168

Thanks!

 

Done.

 

Submitted "Important Information.hta" and a random .RAID10 file.

 

Thanks!



#7 Fabian Wosar

Fabian Wosar

    Authorized Emsisoft Representative


  • Security Developer
  • 744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:03:23 AM

Posted 08 October 2016 - 04:11 PM

Enjoy: https://decrypter.emsisoft.com/globe2 :)
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

#8 TomDN

TomDN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 10 October 2016 - 05:28 AM

Excellent. Thank you very much! You just saved a school a lot of much needed money!

 

I just heard they have had another "bloom", raid16 files this time! So it sounds like that's another file extension for your list. Will try and find the cause and post it.

 

+++++



#9 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:23 PM

Posted 10 October 2016 - 08:20 AM

I've also seen a submission for ".raid15" on ID Ransomware. Chances are the decrypter may work for both, but I didn't have the victim's original to try it myself.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#10 TomDN

TomDN
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 11 October 2016 - 02:26 PM

Fabian / Emsisoft, thank you...

 

Your decryptor cracked the key in 20 minutes and every file I've checked has been good so far! Also amazingly fast... Awesome.

 

Keep up the fight! ;)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users