Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext - !back_files!.html )


  • Please log in to reply
74 replies to this topic

#1 dilip_nowin

dilip_nowin

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 11 April 2017 - 07:29 AM

Tired Globe Decrypter not working.
 
All Extension has become .FIX
 
 
 
All your files have been encrypted due to a security problem with your PC.
To restore all your files, you need a decryption.
If you want to restore them, write us to the e-mail happydaayz@aol.com.
Or you can, write us to the e-mail strongman@india.com.
In a letter to send Your personal ID (see In the beginning of this document).
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
In the letter, you will receive instructions to decrypt your files!

In a response letter you will receive the address of Bitcoin-wallet, which is necessary to perform the transfer of funds.
HURRY! Your personal code for decryption stored with us only 72 HOURS!


Our tech support is available 24 \ 7
  • Do not delete: Your personal ID
  • Write on e-mail, we will help you!
Free decryption as guarantee
Before paying you can send to us up to 3 files for free decryption.
Please note that files must NOT contain valuable information and their total size must be less than 10Mb.
When the transfer is confirmed, you will receive interpreter files to your computer.
After start-interpreter program, all your files will be restored.

BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 11 April 2017 - 08:30 AM

Looks to not be Globe3 because the ID pattern in the note is incorrect (sorry, ID Ransomware should have filtered that out, I will look into it).

 

It looks like it could be GlobeImposter, or a new variant of HappyDayzz, which we don't have a lot of info on at the moment as we don't have a sample.

 

https://www.bleepingcomputer.com/forums/t/642559/happydayzz-blackjockercryptergmailcomhexhappydayzz-ransomware-help-topic/


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 dilip_nowin

dilip_nowin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 11 April 2017 - 09:37 AM

I have a encrypted and decrypted file sample. Its does not change the filename. Its adds .FIX extension



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 11 April 2017 - 09:41 AM

You may zip up encrypted/original pairs and submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

More importantly, if you can get the malware, that would be best for analysis so we can confirm.

 

We are leaning more towards this being a variant of GlobeImposter, which newer versions cannot be decrypted.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 mquintas

mquintas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 12 April 2017 - 11:24 AM

Hi dilip_nowin,

 

Any news about your infection??

 

I got infected too.....   :(



#6 dilip_nowin

dilip_nowin
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 12 April 2017 - 12:18 PM

Hi dilip_nowin,

 

Any news about your infection??

 

I got infected too.....   :(

 

Still Waiting.

 

You may also zip up encrypted/original pairs and submit them here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Mine malware was self deleted. If u have that malware file. send it to above link. So that we can get a solution sooner



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:46 AM

Posted 12 April 2017 - 02:45 PM

Please be patient until one of our crypto malware experts has a chance to review the information provided. BleepingComputer is inundated with support requests and assistance may take some time. Staff members & Security Colleagues are all volunteers who assist members as time permits.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 13 April 2017 - 10:36 AM

We've confirmed this is GlobeImposter 2.0, so it is secure. Afraid you can only restore from backups.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#9 evilweevil

evilweevil

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 13 April 2017 - 12:46 PM

Hi,

 

My laptop was infected with a ransomware yesterday, after opening an exe file that turned out to be a virus. All files have the correct name and size with an extension of Virginlock. I uploaded a test file to ID Randsomeware, and the site did not find a match and has no information about it.

 

Kindly find below an image of the background.

 

//imgur.com/xwcfbmh

<script async src="//s.imgur.com/min/embed.js" charset="utf-8"></script>

 

Please let me know if you need more information

 



#10 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 13 April 2017 - 01:03 PM

Another user uploaded that extension along with the ransom note "how_to_back_files.html", which was a GlobeImposter 2.0 note. I'm afraid it is not decryptable. I've updated rules for it.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#11 jullll

jullll

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 17 April 2017 - 10:02 AM

Hello Team, 

 

We just been infected too by this Ransomware, do you have any news or progress regarding what we have to do ?

 

Thanks for your prompt answer and best regards

 

Jullll



#12 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,149 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:46 AM

Posted 17 April 2017 - 10:12 AM

GlobeImposter 2.0 is not decryptable. You can only restore from backups, or archive your encrypted files in hopes for the future.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#13 jullll

jullll

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 PM

Posted 17 April 2017 - 12:57 PM

Thanks Demonslay335 but bad new news for us ....

 

Maybe a last question for you : How can I be sure that I'm well infected by this Ransomwar ?


Edited by jullll, 17 April 2017 - 12:59 PM.


#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:46 AM

Posted 17 April 2017 - 04:02 PM

You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 veneith

veneith

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:46 PM

Posted 19 June 2017 - 05:55 AM

Uploaded files, suspected globeimposter 2.0. Appreciate your assistance. 






5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users