Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext - !back_files!.html )


  • Please log in to reply
101 replies to this topic

#31 troy99

troy99

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:13 PM

Posted 23 June 2017 - 02:17 PM

For those of us who are victims of this GlobeImposter 2.0 ransomware.

 

I have the scammer talked down to $250 US for the decoder.   Nothing I hate more than to pay this guy, but if it will open up the key and benefit everyone else, I'm considering it.

Would any of you who also need it be willing to chip in to help cover this payment? 

 

Moderator, so all you would need is the decoder and my encrypted ID?


Edited by troy99, 23 June 2017 - 02:19 PM.


BC AdBot (Login to Remove)

 


m

#32 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 23 June 2017 - 02:36 PM

Typically with ransomware, each victim's decrypter (decoder) provided by the malware developer is unique to them with their own private RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decrypter, decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. Further, there is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files.

However, if you received a working decrypter, you can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information by analyzing it further.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#33 Tomest

Tomest

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 06 July 2017 - 05:46 AM

For those of us who are victims of this GlobeImposter 2.0 ransomware.

 

I have the scammer talked down to $250 US for the decoder.   Nothing I hate more than to pay this guy, but if it will open up the key and benefit everyone else, I'm considering it.

Would any of you who also need it be willing to chip in to help cover this payment? 

 

Moderator, so all you would need is the decoder and my encrypted ID?

 

Did you eventually do this? We got both our main and backup server encrypted with like it seems GlobImposter 2.0, but with a .graf extension.

We're now considering our options, but well it's unfortunately quite limited...



#34 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 06 July 2017 - 06:15 AM

Other possible options include using native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots. It never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...again, it never hurts to try.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#35 Tomest

Tomest

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 06 July 2017 - 09:28 AM

Other possible options include using native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots. It never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...again, it never hurts to try.

Unfortunately it does delete the shadow copy snapshots, but thanks for the tips!



#36 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 06 July 2017 - 03:00 PM

If those tips are not a viable option, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution. Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#37 Pedro SImoes

Pedro SImoes

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 10 July 2017 - 10:15 AM

Sample Files Submited, encrypted and Decrypted file 

and ransom note

 

Cheers! :) 

 

If those tips are not a viable option, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution. Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer.



#38 discostur

discostur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 11 July 2017 - 02:46 PM

Hi,

 

i made a check which ransomware i have and it said its Globelmopster 2.0 but i have different file endings:

 

.[kilokit@bigmir.net]malew

 

The online-check found it with by the provided "how_to_back_files.html" file. Now i have an encrypted and decrypted example file. Is there a place where i can upload it so it may help you building a decryption tool? Just want to help ...

 

Thanks

Greets

Kilian



#39 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 11 July 2017 - 02:51 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#40 discostur

discostur

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 11 July 2017 - 03:21 PM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button.

 

ok, just submitted it! Thanks and good luck ;)



#41 Yunalescar

Yunalescar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 11 July 2017 - 05:10 PM

Uploaded a set of original and encrypted file along with note

 

in my case :    .hNcyrpt

 

Identified by ID Randsomware:

GlobeImposter 2.0
  • ransomnote_filename: how_to_back_files.html
  • custom_rule: victim ID format


#42 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,731 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 11 July 2017 - 05:34 PM

Unfortunately, there is still no way to decrypt files encrypted by all the latest versions of GlobeImposter without paying the ransom. If possible, your best option is to restore from backups.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#43 Yunalescar

Yunalescar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 11 July 2017 - 05:53 PM

Unfortunately, there is still no way to decrypt files encrypted by all the latest versions of GlobeImposter without paying the ransom. If possible, your best option is to restore from backups.

If i had some...

Luckily, the encryption choked on a 15GB Videofile i did vonvert from VHS to digital MP4 for my grandma, so it stoped like quater ways through my drive...

So guess im gonna check if the few files that got encrytped arent anywhere else as copy :=(

 

To think of, that im the moron telling everyone to get their backups straight, its kinda ironic.

 

But yet still hoping there might be something out there.

 

 

At least, my intrest for reverse engeneering of encryptiontools did fire up



#44 MarkusF

MarkusF

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:13 AM

Posted 12 July 2017 - 04:42 AM

After beeing attacked i've uploaded some files, may the help....



#45 Black_RiOt

Black_RiOt

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:13 PM

Posted 17 July 2017 - 03:00 PM

Ok I posted files about .goro variant:

 

So here is the link were the 7z file containing the three file dump of the three goro.exe process. And sample files and goro.exe...

https://drive.google.com/drive/folders/0ByGYGVrtCny5cy1XaldlVkZTd0k?usp=sharing

 

Hope this can help...

 

Black_RiOt






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users