Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GlobeImposter 2.0 (.FIX & .PSCrypt extension) Ransomware Support Topic


  • Please log in to reply
31 replies to this topic

#16 troy99

troy99

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 19 June 2017 - 02:50 PM

What are the chances that this Globeimposter 2.0 (.keepcalm) will ever be decrypted?

 

My whole computer was infected and I will be keeping the hard drives offlline until I can locate a solution.

 

How can we get notified once the decrypter is available?

How can we help?

 

Thanks,

Troy



BC AdBot (Login to Remove)

 


#17 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 19 June 2017 - 02:59 PM

We have no way of knowing when or if a free decryption solution will be available.

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with and a variety of factors. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time.

Dr.Web statistics show that the probability of restoring files compromised by encryption ransomware doesn't exceed 10%. That means that most of user data has been lost for good!

Dr.Web: Encryption ransomware - Threat No. 1

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#18 nitop

nitop

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:56 AM

Posted 21 June 2017 - 10:35 AM

I uploaded a file with .FIXI extension. Regarding ID Ransomware it is GlobeImposter 2.0. Isn´t it?

We have backup from the files, but we want to get known how the ransomware could be installed.



#19 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 21 June 2017 - 03:02 PM

The .FIXI extension is one used by GlobeImposter 2.0 which will leave files (ransom notes) named how_to_back_files.html, HOW_OPEN_FILES.html, how_to_recover_files.html. The ransom note instructs victims to contact the cyber-criminals at "happydaayz@aol.com", "strongman@india.com", "keepcalmpls@india.com", "byd@india.com", "cryptohelpers@india.com" to get payment instructions.

Crypto malware and other forms of ransomware in particular are typically spread through some type of "user interaction"...opening a malicious email attachment, executing a malcious file, via web exploits, exploit kits, malvertising campaigns and drive-by downloads when visiting compromised web sites. RDP Bruteforce attacks against servers are also an increasing common malware vector by those involved with the development and spread of ransomware.

Section :step2: in this topic explains in more detail the most common methods Crypto malware (file encrypting ransomware) and other forms of ransomware is typically delivered and spread.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 slon_

slon_

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 23 June 2017 - 06:58 AM

Hello. Sorry for the bad translation into English. In the morning I saw a message on the desktop about the fact that the electronic addresses changed regarding the redemption. There was "systems64x@tutanota.com". Became "systems32x@gmail.com". I turned off the computer and read about the virus of the extortionist with such addresses. Explained that this is PSCrypt which is GlobeImposter 2.0. Later I turned on the computer in an uninterrupted mode and did not find encrypted files or signs of files of a specific virus. What now it is necessary to separate? How to protect yourself m save. I copied important files to the USB flash drive, is it safe to open them on another computer?


#21 tolliik

tolliik

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 07:04 AM

uninterrupted mode - you mean safe mode?

In this mide, you files was not encrypted?

You turn off networck before reboot first time?


Edited by tolliik, 23 June 2017 - 07:05 AM.


#22 tolliik

tolliik

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 07:06 AM

Вы с Украины, да?



#23 slon_

slon_

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 23 June 2017 - 07:08 AM

Yes safe mode. (Sorry google translator) In a safe mode everything looks normal, what do you recommend to do?



#24 tolliik

tolliik

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 07:18 AM

tou files opening in safe mode?

very strange, becouse my files in safe mode are encrypted. with extension .pscrypt



#25 tolliik

tolliik

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 07:26 AM

if you files good, try to backup them.

Tan find some pc or notebook without important files, and copy some one files from encrypted pc. try to worck at this pc few day. if everesing good - you very lucky men.

 

PS. Sory for my english.



#26 slon_

slon_

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 23 June 2017 - 07:28 AM

Спасибо, думаю мы свами говорим на одном языке.



#27 tolliik

tolliik

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 07:33 AM

)) Ну да.

 

Я правильно понял, что Вы перезагрузили компьютер утром, у Вас поменялось письмо с требованием денег (у меня назывется rahunok.html), после этого Вы загрузились в безопасном режиме и Ваши файлы открываются нормально?



#28 slon_

slon_

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 23 June 2017 - 07:40 AM

I apologize to all that I write not in English. Это был не мой комп. Первое и единственное сообщение которое я увидел (других никто не видел) было о смене адресов. Я сразу выключил компьютер и стал читать что это за гадость. Потом включил в безопасном режиме и не нашел зараженных файлов (хотя долго не искал) пару штук открыл - все нормально. В поиске задал найти файлы Paxynok.html или wmodule.exe таких не нашло. Скопировал важное на флешку и снова выключил компьютер. Вот теперь сижу и думаю, что делать. 



#29 tolliik

tolliik

  • Members
  • 11 posts
  • OFFLINE
  •  

Posted 23 June 2017 - 07:49 AM

Тогда может и повезло.

Я бы копировал важные файлы на другой комп, где нет ничего важного и поработал на нем с недельку. Ну и лучше что бы этот комп был не в одной сети с другими устройствами



#30 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:56 AM

Posted 23 June 2017 - 07:57 AM


Unfortunately, there is no known way at this time to decrypt files encrypted by all the latest versions of GlobeImposter without paying the ransom. If possible, your best option is to restore from backups.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users