Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GlobeImposter Ransomware Support (.Crypt & .PSCrypt ext - !back_files!.html )


  • Please log in to reply
86 replies to this topic

#76 scanme

scanme

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:13 PM

Posted 24 August 2017 - 04:27 AM

No Way NOW? thanls



BC AdBot (Login to Remove)

 


#77 Netmania

Netmania

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 31 August 2017 - 06:29 AM

Anyone got the way to decrypt them right now.



#78 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 31 August 2017 - 07:40 AM

Still no way to decrypt.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#79 rosaos

rosaos

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:13 AM

Posted 04 September 2017 - 02:36 PM

Hi,

 

I have been reading this topic from July. We got infected with GlobeImposter 2.0 as IDRamsomware reported to me at the online file test.
​The email wich ask for ramsom is youdecrypted@india.com ​and the extension for encrypted files is .nopasaran​.

I have found three files suspected of being part of the attacker encription process. There are two batch files wich makes changes to RDP Service registry records and starts some kind of process with a file named wevtutil.exe.

 

But the most important file is a text plain one with only a 32 characters long name, wich seems to be named in hexadecimal. It is a 2kb file containing the next information in two single lines with plain text as mentioned:

  • First line: 256 characters with no spaces. Uppercased alphanumerical chain text in hexadecimal.
  • Second line: My personal ID to pay ramsomware.

I hope, maybe this could be helpful. Ask for the files if so.

 

 

 

NOTE: I have a sample of the same file: encrypted and original version from the encrypted computer if needed too.
 



#80 knursultank

knursultank

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 10 September 2017 - 09:46 AM

Hello! 

 

I've been looking for the decryptor of GlobeImposter 2.0 for several days, but there is no soluton yet. 

 

All my files encrypted and they're given the extension .foste and they left html file with how_to_back_files.html

Contact email that they left is fostecrypt@aol.com

the screen is available on: https://hkar.ru/QKhv

I tried to contact by fostecrypt@aol.com and they want me to pay 0.5 BTC, but there is no guarantee that they give the decryptor after the payment.

 

If anyone got the solution, can you pls help?



#81 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 10 September 2017 - 02:48 PM

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#82 knursultank

knursultank

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:13 PM

Posted 15 September 2017 - 08:45 AM

Hello everyone!

I got this virus on my sever and to solve this problem I paid 0.4 BTC, but they didn't decrypt my files. 

Be very careful before paying, they can send you the decipher which doesn't work.

Hope the decipher will appear very soon.

 

Good luck to everyone.



#83 Senthil_y

Senthil_y

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:43 AM

Posted 16 September 2017 - 12:23 AM

Dear All,

 

Our Server is affected by Globe Imposter. Files are encrypted to .PLIN extension. If anyone has the decryption tool for the same please let me know. It has encrypted our SQL Database file and Backup Files. Kindly let me know ASAP. Thank You. 



#84 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 16 September 2017 - 06:02 AM

There is no decryption tool... there is no known way to decrypt files encrypted by all the latest versions of GlobeImposter without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#85 Maikl

Maikl

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted Yesterday, 03:14 AM

I would be pleased to ask if there is some information on this topic....  :(

 

Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the original key recovery is impossible! To decrypt your files you need to buy the special software - "MONKSERENEN DECRYPTOR" Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.

If you want to restore files, write us to the e-mail: monkserenen@tvstar.com In subject line write "encryption" and attach your personal ID in body of your message also attach to email 3 crypted files. (files have to be less than 10 MB)

It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time. 

 

Original file:  images.jpg (11.7 KB)
Encrypted file:  images.jpg.crypted_monkserenen@tvstar_com (12.6 KB)
 


#86 Maikl

Maikl

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:13 AM

Posted Yesterday, 04:23 AM

dear 

quietman7Demonslay335

 this precise encryption is part of this GlobeImposter category ?



#87 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted Yesterday, 05:56 AM

As Demonslay335 has already told you and as I have mentioned numerous times in this topic...there is no known way to decrypt files encrypted by all the latest versions of GlobeImposter without paying the ransom.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users