Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext - !back_files!.html )


  • Please log in to reply
242 replies to this topic

#166 wmcn

wmcn

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 26 January 2018 - 09:07 AM

YES!backup/save my encrypted data as is and wait for a possible solution.THANK YOU!



BC AdBot (Login to Remove)

 


#167 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 PM

Posted 26 January 2018 - 12:05 PM

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#168 wmcn

wmcn

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 28 January 2018 - 10:14 PM

OK ,THANK YOU VERY MUCH!



#169 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 PM

Posted 29 January 2018 - 06:37 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#170 Pan40

Pan40

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 31 January 2018 - 01:35 AM

Hi

Server is hit by ransomware *.crypted_yoshikada@cock_lu. ID ransom recognize this like GlobeImposter 2.0. I found few *.tmp and .tmp.bat files in %temp% directory. If this is usable a can to upload somewhere.



#171 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:04:55 AM

Posted 31 January 2018 - 02:30 AM

.crypted_yoshikada@cock_lu

 

 
Pan40
 
There is only my initial description, dated January 3, 2018 Yoshikada Ransomware
and topic here, open January 16.

Edited by Amigo-A, 31 January 2018 - 02:39 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#172 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 PM

Posted 31 January 2018 - 07:43 AM

@ Pan40

There is no known method at this time to decrypt files encrypted by Yoshikada Decryptor Ransomware without paying the ransom. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#173 shebeen28

shebeen28

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 16 February 2018 - 08:34 AM

a colleague got hit by ransomware yesterday, and it has encrypted files onto our server and the backups are too old (I know).

 

it's been detected as Global Imposter 2.0 by the upload tool here,

 

I have tried to make contact as unfortunately we do need the data back (and will begrudgingly take the risk and pay for it). have been waiting 6 hours now, with no reply so came here.

 

 

It seems a little different to what I have read in this thread.

all files have been encrypted and changed to Excel 97-2003 format.

ie picture.jpg => picture.jpg..xls

 

Have been able to compare some files using dropbox recovery, and there's just sections of each file being adjusted.

So my question, is, is this the look of Global Imposter 2.0 or something else?    
 
 
 
message text
<div><h2>Your files are Encrypted!</h2></div>
<div>
<div>For data recovery needs decryptor.</div>
<div>How to buy decryptor: <div>
<hr>
 1. Download "Tor Browser" from https://www.torproject.org/ and install it.<br>
 2. Open this link <br><b>http://4fp2u2ue4pyqdpfu.onion/sdlskglkehhr</b><br> In the "Tor Browser"


#174 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:55 PM

Posted 16 February 2018 - 09:14 AM

The message text looks like GlobeImposter

GlobeImposter/GlobeImposter 2.0 will leave files (ransom notes) named READ_IT.html, !back_files!.html, !SOS!.html, !your_files!.html, #HOW_DECRYPT_FILES#.html, here_your_files!.html, HOW_OPEN_FILES.html, HOW_OPEN_FILES.hta, how_to_back_files.html, how_to_recover_files.html, Read_ME.html, RECOVER-FILES.html, instruction.html as explained here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#175 meHorhe

meHorhe

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 16 February 2018 - 09:50 AM

@shebeen28, very ugly experience.

 

Did you catch the running apps that encrypted the data? I was unable to locate the malware files for analizes.

 

If you can supply the malware that can help future research for a decrypter.

 

 

In the mean time try restoring the server from shadow copy recovery.

 

I used a free app from runtime.org to clone the affected disks and waiting for a solution.

Even if my data become obsolete in a month, i'll wait for at least a year for a decrypter.



#176 shebeen28

shebeen28

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 February 2018 - 04:28 AM

The message text looks like GlobeImposter

GlobeImposter/GlobeImposter 2.0 will leave files (ransom notes) named READ_IT.html, !back_files!.html, !SOS!.html, !your_files!.html, #HOW_DECRYPT_FILES#.html, here_your_files!.html, HOW_OPEN_FILES.html, HOW_OPEN_FILES.hta, how_to_back_files.html, how_to_recover_files.html, Read_ME.html, RECOVER-FILES.html, instruction.html as explained here.

 

 

@shebeen28, very ugly experience.

 

Did you catch the running apps that encrypted the data? I was unable to locate the malware files for analizes.

 

If you can supply the malware that can help future research for a decrypter.

 

 

In the mean time try restoring the server from shadow copy recovery.

 

I used a free app from runtime.org to clone the affected disks and waiting for a solution.

Even if my data become obsolete in a month, i'll wait for at least a year for a decrypter.

 

post edited...will update later


Edited by shebeen28, 19 February 2018 - 07:55 AM.


#177 meHorhe

meHorhe

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:55 AM

Posted 19 February 2018 - 05:18 AM

Close the deal and post after.

 

Probably they work as we all do, but ransoms it's a free time job.


Edited by meHorhe, 19 February 2018 - 05:35 AM.


#178 shebeen28

shebeen28

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 19 February 2018 - 05:20 AM

The price is good enough, heard about 10 BTC a few weeks ago.

 

Word of advice, close the deal and post after, i fear that this forum is accessible to hackers too. If they finds that data worth more, the price may rise.

 

p.s. Probably they work as we all do, but ransoms it's a free time job.

good point. will edit my post immediately



#179 wmcn

wmcn

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:55 AM

Posted 01 March 2018 - 07:28 AM

any news?



#180 shebeen28

shebeen28

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:55 AM

Posted 01 March 2018 - 07:33 AM

any news?

YES,

 

Paid the ransom, got the decryptor program and all is back to normal.

 

Have taken a lot more measures to prevent a repeat.

Have submitted all data here, and happy to help in anyway.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users