Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext - !back_files!.html )


  • Please log in to reply
74 replies to this topic

#61 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:48 PM

Posted 07 August 2017 - 09:53 AM

Crypto malware and other forms of ransomware spread via a variety of common vectors...opening a malicious or spam email attachment, executing a malcious file, web exploits, exploit kits, malvertising campaigns, non-malware (fileless) attacks:, drive-by downloads and RDP bruteforce attacks against servers especially by those involved with the development and spread of ransomware. Section :step2: in this topic explains in more detail the most common methods Crypto malware (file encrypting ransomware) and other forms of ransomware is typically delivered and spread.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#62 HAL9001

HAL9001

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 09 August 2017 - 02:41 AM

Good morning,

 

a question to all users but maybe even more to the moderators:

 

I am looking for a website / an online service that on the one hand lets you check your encrypted files for available methods of decryption and on the other hand will inform you via e-mail as soon as a decryptor exists. I think there is an online service which exactly works this way, but i can't find it anymore.

 

Thank you

 

 

HAL



#63 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:48 PM

Posted 09 August 2017 - 05:11 AM


You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then attempts to direct you to an appropriate support topic where you can seek further assistance.

You can also submit samples of encrypted files, ransom notes, email/website address you see in the ransom demand to No More Ransom for assistance with identification and possible decrypting solutions. This is a global service backed by Kaspersky and other security partners.

However, neither inform you separately via email when a decryption tool is available.

When or if a decryption solution is found, that information will be provided in the appropriate BC support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#64 rookieplayer

rookieplayer

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 10 August 2017 - 02:36 AM

Please see here for some tools to recover your files

http://www.vkremez.com/2017/08/lets-learn-how-to-unpack-globeimposter.html

 

https://twitter.com/search?q=%23GlobeImposter%2C

 

http://en.whotwi.com/malwrhunterteam/tweets/hashtag/Globe

 

 

 

I am coming from this thread

https://www.bleepingcomputer.com/forums/t/653396/725-globeimposter-v2-decrypter/

 

My Files have been encrypted with .726 extension 

to be precise with ..726 (double dots)

https://support.emsisoft.com/topic/27917-726-globeimposter-not-decrypting/?tab=comments#comment-174021

 

I have contacted the hacker or virus creator asking for ransom by clicking and following the instructions in the Recover-Files-726.html 

 

I have emailed the required information, that is,

 

Quote

 

If you want to buy a decryptor, click the button



17 4C 7C DD 21 D3 62 C4 76 C6 54 CC C8 48 E9 0E 5B B1 C4 A5 2C 29 29 72 C0 93 E5 5F 24 97 35 7F 96 5B 08 A5 70 68 C1 F4 A9 C0 02 14 5D FB 41 D0 27 D6 19 8B 6E F7 93 E4 B4 DF 5A ED AC E9 1F 9D 98 81 6D 25 CB 55 AC 08 7B DB B3 D8 E1 2D CF BD 65 A8 9E 40 3A 79 90 EE E5 BE DE 34 43 10 B8 1E AB 4D 23 46 BD 26 6F 93 27 C2 29 8E A9 81 D6 0A 65 C6 50 02 19 95 76 32 A3 B4 75 29 A3 F9 A6 CC EA F3 C7 20 83 D3 8A D3 0D 19 AB B0 84 B6 4D 52 1D 27 7B 6B 17 D4 49 5D 84 A8 B4 48 78 11 DB AA 89 BB 3F 7D EA 2C DF 27 C9 B1 13 78 FA DC 82 85 79 80 EF 5E 1E FD 27 4E 23 44 DA 77 67 88 18 EB 58 78 0C 2C 0A E7 7B ED 94 1A 70 65 B0 61 66 68 30 E3 FC 2B 58 77 D8 CE 52 44 7C E9 C8 D0 34 B4 BA D3 F9 10 33 82 B5 9A 52 85 17 CD 8C A0 86 99 30 DE D1 ED FF 80 98 7F 98 3F 5E 06 0D CA F9 DB "> Yes, I want to buy 
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this link.
( If you send a file for free decryption, also send file RECOVER-FILES.HTML ) 
Support
 
 

 

I have asked them to send a sample decrypted files which they have send

 

 

Quote

 

all workin
 
PAY 0.31 bicoin on the Bitcoin address: 1N7cJHKGzF9VzYyAydXKCNEMy2UEQQfyUF

 

 

 

 

 

You can 
Download two encrypted and decrypted files 

https://drive.google.com/file/d/0B1sAdmK6CUl6REh5ZExHOVZlU0E/view?usp=sharing

 

https://drive.google.com/open?id=0B1sAdmK6CUl6REh5ZExHOVZlU0E

 

 

I am not sure what it is the name of this ransom :

Global Imposter 2.0 ..726 Extension

or some other name.... and don't know if there is any decrypting tool yet. Contacted many, still no answers.

 

I hope someone creates a decrypting tool for it, so everyone can benefit -- including myself

 

 

Tags:  726 Extension Virus Ransomware Global Imposter Encrypt Decrypt Bitcoin Ransom Files Tool Removal 

 



#65 kukumber

kukumber

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 11 August 2017 - 02:34 PM

If anybody is interested in doing malware analysis, I have isolated the executable for GlobeImposter ransomware.



#66 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:48 PM

Posted 11 August 2017 - 03:18 PM

Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#67 ph0b1a

ph0b1a

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 14 August 2017 - 11:52 PM

Hello all

 

One of my clients got hit with this virus. I tried all I can think of to get her files back and I did not succeed. I did had some luck running recovery software, I was able to get about 10 percent of her files back which is nothing really. The client wanted everything back so she advise me to proceed and pay the ransom with bitcoins, which by the way is the biggest hassle in the world. I did not know acquiring bitcoins was so complex. Luckily, everything went well.

 

I do happen to have the decrypter that worked for my machine, I'm sure it wont work for anyone else but maybe someone can analyst it and learn from it?



#68 rookieplayer

rookieplayer

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 15 August 2017 - 02:41 AM

Hello all

 

One of my clients got hit with this virus. I tried all I can think of to get her files back and I did not succeed. I did had some luck running recovery software, I was able to get about 10 percent of her files back which is nothing really. The client wanted everything back so she advise me to proceed and pay the ransom with bitcoins, which by the way is the biggest hassle in the world. I did not know acquiring bitcoins was so complex. Luckily, everything went well.

 

I do happen to have the decrypter that worked for my machine, I'm sure it wont work for anyone else but maybe someone can analyst it and learn from it?

 

Thanks, can you please upload the decyrptor for experts to analyze it. May be, I, can share some amount for decryptor if it works on my PC. 

 

is the decryptor for .726 extension or some other extension


Edited by rookieplayer, 15 August 2017 - 02:41 AM.


#69 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:48 PM

Posted 15 August 2017 - 07:56 AM

Typically with ransomware, each victim's decrypter (decoder) provided by the malware developer is unique to them with their own private RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decrypter, decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. Further, there is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files.

However, if you received a working decrypter, you can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information by analyzing it further.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#70 valdiviano28

valdiviano28

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 15 August 2017 - 11:45 AM

Hola a todos, es mi primer post y ante todo agradezco a los que lo lean y a aquellos que me puedan, por favor, tender una ayuda ya que, realmente estoy angustiado y desesperado...Gracias a todos

Estoy infectado con GlobeImposter 2.0 el cual, que me encriptó 120 Gb de archivos

¿Alguna solucion?

Por favor, estoy desesperado...

Gracias

 

==============================================================================================================================================

Hello everyone, it's my first post and first of all I thank those who read it and those who can help me, please, I'm really desperate ... Thank you all

I'm infected with GlobeImposter 2.0
Any solution?

Please, I'm desperate ...

Thank you



#71 valdiviano28

valdiviano28

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 15 August 2017 - 12:13 PM

Por favor...alguien que haya utilizado una de estas opciones para desencriptar GlobaImposter 2.0?? Que comente...

Please ... someone who has used one of these options to uninstall GlobaImposter 2.0 ?? What comment



#72 ph0b1a

ph0b1a

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 16 August 2017 - 09:43 PM

 

Hello all

 

One of my clients got hit with this virus. I tried all I can think of to get her files back and I did not succeed. I did had some luck running recovery software, I was able to get about 10 percent of her files back which is nothing really. The client wanted everything back so she advise me to proceed and pay the ransom with bitcoins, which by the way is the biggest hassle in the world. I did not know acquiring bitcoins was so complex. Luckily, everything went well.

 

I do happen to have the decrypter that worked for my machine, I'm sure it wont work for anyone else but maybe someone can analyst it and learn from it?

 

Thanks, can you please upload the decyrptor for experts to analyze it. May be, I, can share some amount for decryptor if it works on my PC. 

 

is the decryptor for .726 extension or some other extension

 

 

That is correct sir, all files got turn into .726 extension.



#73 ph0b1a

ph0b1a

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 16 August 2017 - 09:46 PM

Typically with ransomware, each victim's decrypter (decoder) provided by the malware developer is unique to them with their own private RSA decryption key, password or personal ID which cannot be used with someone else's encrypted files. Sharing a decrypter, decryption key, password or personal ID provided by the cyber-criminals with another victim who paid the ransom will not work since the keys are different for each individual case. Further, there is no guarantee that the decrypter provided by the cyber-criminals will work properly and in some cases using a faulty or incorrect decrypter may cause additional damage or corruption of files.

However, if you received a working decrypter, you can zip and submit it here with a link to this topic along with a few encrypted files and anything else the malware writers provide.

Even though the decrypter will not work for other victims, our crypto malware experts may be able to get some information by analyzing it further.

 

Done! best of luck, I hope it helps fighting the good fight. As I said before it worked 100 percent with the infected computer.



#74 Netmania

Netmania

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 18 August 2017 - 05:08 AM

I submitted infected file with ..726 but still waiting. Hope any one can help! Thanks



#75 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,297 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:48 PM

Posted 18 August 2017 - 05:41 AM

After our experts have examined submitted files, they typically will only reply in a support topic if they can assist or need further information. If not, then the submitted files were not helpful.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users