Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext - !back_files!.html )


  • Please log in to reply
155 replies to this topic

#151 wmcn

wmcn

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 15 January 2018 - 08:21 PM

good news?Ability to decrypt?thanks!



BC AdBot (Login to Remove)

 


m

#152 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,389 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:58 PM

Posted 15 January 2018 - 08:24 PM

There is no known method at this time to decrypt files encrypted by all the latest versions of GlobeImposter 2.0 without paying the ransom. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#153 schnief

schnief

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 16 January 2018 - 10:34 AM

Hello everyone!

We have been hit by a ransomware attack, according to https://id-ransomware.malwarehunterteam.com/ it probably is GlobeImposter 2.0.

All encrypted files have a .encen extension, for which I didn't find any information on the web. Only id-ransomware says it's a known GlobeImposter 2.0 extension.

  • ransomnote_filename: how_to_back_files.html
  • sample_extension: .encen
  • custom_rule: victim ID in encrypted file

The mail adress used is 'brons@airmail.cc'.

I'd be very grateful, if someone could help me verify that it's indeed GlobeImposter 2.0.

I already tried all recovery options (restore points, shadow copy, file recovery) to no avail.

 

Is there anything I can do?

I didn't yet attempt to remove the virus and I'd like to upload it for further investigation. Any hints on how I find the correct executable to upload? It was not detected by my virus scanner (Sophos), is there another tool I should use to find it?

I also have an encrypted/unencrypted file pair, if that's of any help. From what I understand, there is basically no way to brute force this, even with file pair?

 

Please let me know if I should provide more information here on the forum or if there is anything I can do to help further the research about this particular ransomware!

 

 

 

PS.: Out of curiosity I already wrote a mail to the extortionists, they say it'll cost .3 BTC to recover the files. Has anyone paid the ransom? Did it work out? Because if there is no solution in the near future we may be forced to pay, even though I'd hate rewarding those people. Has anyone tried to haggle them down in price?



#154 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,389 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:58 PM

Posted 16 January 2018 - 11:12 AM

how_to_back_files.html is a ransom note used by GlobeImposter. .encen is probably a variant of the .encencenc extension previously used by GlobeImposter.

Nothing we can do...read my previous post (#138).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#155 Amigo-A

Amigo-A

  • Members
  • 294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:08:58 AM

Posted 16 January 2018 - 11:40 AM

 abakothanasis

If you can not log in to the accounts, you need to change the permissions on the directories of these users and inherit the files that are in these accounts.

 

A big request to Global Moderator - to transference the posts related to the case of abakothanasis in the fit topic. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#156 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,389 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:58 PM

Posted 16 January 2018 - 02:45 PM

...A big request to Global Moderator - to transference the posts related to the case of abakothanasis in the fit topic.

Done.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users