Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Globe like ransomware detected? 30-MAR-2017


  • Please log in to reply
4 replies to this topic

#1 ELWIS

ELWIS

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 04 April 2017 - 05:10 AM

Dear All,

 

not so sure what I'm looking at here. ID-ransomware (https://id-ransomware.malwarehunterteam.com/) delivers two results on the ransom note, i.e. CryptON and Globe 3.

Checking an encrypted file with the same tool delivers that it could be under certain circumstances be decrypted with Globe or CryptON decrypters.

 

However decrypting with emsisoft tools delivers following:

 

CryptON - no decryption as the 16 byte difference between unencrypted and encrypted is not existent

 

Globe 3 -  does not accept the files for decryption

 

Globe 2 and Globe decryptors try to decrypt but cannot find a key.

 

The encrypted file name for example is :8.png.id-132357839_[x3m-pro@protonmail.com]_[x3m@usa.com].x3m.

 

Although many of the information point at an exisiting ransomware this might be something new.

 

Any ideas on this would be highly appreciated

 

ELWIS

 

 

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:48 PM

Posted 04 April 2017 - 05:39 AM

The <id-number>_x3m appended extension is one of the variants which is related to CryptON.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:03:48 AM

Posted 10 April 2017 - 07:23 AM

Hi ELWIS,

 

You can find a decrypter for this ransomware here: https://decrypter.emsisoft.com/cry9

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 ELWIS

ELWIS
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 11 April 2017 - 07:19 AM

Yes Cry 9 works. Many thanks to all. Unfortunately the Computer crashed (I have noted the key). Is there any possibility to use the decryptor with the known key without searching for the key again?

#5 anunezk

anunezk

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 21 April 2017 - 11:33 AM

Hi. I have the x3m ramsonware, and probe with the tool to re-establish the emisisoft file (https://decrypter.emsisoft.com/download/cry9) and will not let me. It tells me that I have to drag the original file and the infected one, my question is: if this is encrypted because the original broke it, does anyone use this tool satisfactorily? Thank you!

Hi. I have the ramsonware x3m virus. And probe with the tool to re-establish the emisisoft file (https://decrypter.emsisoft.com/download/cry9) and will not let me. It tells me that I have to drag the original file and the infected one, my question is: if this is encrypted because the original broke it, does anyone use this tool satisfactorily? Thank you!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users