Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Q: Globe Ransomware


  • This topic is locked This topic is locked
6 replies to this topic

#1 kragster665

kragster665

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 17 November 2016 - 10:11 AM

Hi all,

My NAS just got encrypted with Globe (I think?) ransomware. Here is a sample name of a file:

 

XnQbN65goI2tp0iI.decryptallfiles3@india.com

 

and all folders contain a

 

Read Me Please.HTA file.

 

All the decrypters I can find for Globe requires the original file as well as the encrypted file, which makes them a bit obsolete.

 

Unfortunately the NAS had all of our fotos and I dont have a backup (which I certainly will have in the future). I found it as it was encrypting the NAS, so the specific computer got wiped immediately, but unfortunately it was almost finished.

 

Should I take it as a loss and format the NAS or is there any chance of getting the files decryptet?

 

Best
Lars

 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:28 AM

Posted 17 November 2016 - 10:45 AM

All the decrypters I can find for Globe requires the original file as well as the encrypted file, which makes them a bit obsolete.

 
How does that make a decrypter obsolete? It is needed in order to derive a key. That's how a lot of decrypters work, as it needs to compare with the original file to determine if the key was correct.
 
A quote from Fabian Wosar.
 

It has to be the original. I don't believe you that there is no file on your system where you can't get the original of. Examples: Files you downloaded from the internet that were encrypted, that you can simply download again to get the original, pictures that you shared with friends that they can just send you back, default wallpapers and pictures that were included with your Windows version that you can just get from another system running the same Windows version. There are plenty of ways to get an encrypted with unencrypted file pair. 

 

What type of NAS is it? Some Synology and QNAP NAS devices have features such as a recycle bin and sometimes you can pull Shadow Copies from them.

 

Wiping a system as soon as you have encountered a ransomware attack is not the best idea. You have to scope out the whole situation first.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 17 November 2016 - 04:38 PM

Another quote from Fabian...

Even you will have at least one file where you can get the original version of the file of. A picture you shared with your family. The default wallpapers shipped with your version of Windows. A file you downloaded from the internet that you can download again.

In the years I have been doing this, there hasn't been a single case where decryption failed because someone could not possibly find at least one file where they could somehow find the original file as well.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 kragster665

kragster665
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 18 November 2016 - 04:27 AM

 

All the decrypters I can find for Globe requires the original file as well as the encrypted file, which makes them a bit obsolete.

 
How does that make a decrypter obsolete? It is needed in order to derive a key. That's how a lot of decrypters work, as it needs to compare with the original file to determine if the key was correct.
 
A quote from Fabian Wosar.
 

It has to be the original. I don't believe you that there is no file on your system where you can't get the original of. Examples: Files you downloaded from the internet that were encrypted, that you can simply download again to get the original, pictures that you shared with friends that they can just send you back, default wallpapers and pictures that were included with your Windows version that you can just get from another system running the same Windows version. There are plenty of ways to get an encrypted with unencrypted file pair. 

 

What type of NAS is it? Some Synology and QNAP NAS devices have features such as a recycle bin and sometimes you can pull Shadow Copies from them.

 

Wiping a system as soon as you have encountered a ransomware attack is not the best idea. You have to scope out the whole situation first.

 

 

Well you are absolutely correct :) I guess it is easier if it is a computer with default items. So, if you have a file in it's original state and in the encrypted version, then you can derive the key and decrypt the rest of the files?



#5 kragster665

kragster665
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 18 November 2016 - 05:25 AM

Ok, so I found a file of which I now have the encrypted version and the original version. I tried using Trend Micros Ransom Ware File Decrypter tool, selected Purge/Globe (V1,V2,V3), selected the two files and it ran for 15 minutes but it didn't seem to decrypt the file. Nothing happened. The file is 785.290.174 bytes.

 

I used https://id-ransomware.malwarehunterteam.com/ to identify the malware.

 

Any thoughts?



#6 kragster665

kragster665
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 18 November 2016 - 06:36 AM

Ok guys! Seems I found the correct decrypter for the ransomware that hit me. Globe2 decrypter seems to do the job!

 

https://decrypter.emsisoft.com/download/globe2



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:28 AM

Posted 18 November 2016 - 06:59 AM

That is good news.

There is an ongoing discussion in this topic. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users