Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CRYPTOBOSS ransomware (.CRYPTOBOSS; HOW TO RECOVER ENCRYPTED FILES.TXT)


  • Please log in to reply
5 replies to this topic

#1 griechae

griechae

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 01 May 2017 - 09:55 AM

Hello to all,

 

at first I must excuse my bad english because it isn't my first language.

 

my problem:

 

all my files (mp3, jpg etc) are encrypted.

 

for a example: 8g000000003d7joOJplTwwPtp8oxyU8TntyYwPC0USaK2afms3SnPuG9NDW-BQUXDvgOiedOiss.CRYPTOBOSS

 

I don't have any access to any account. so i copied a infected file and a non-infected and tried on a second pc.

 

i used ID Ransomeware to identify my ransom it says me that it is a GLOBE3. so i downloaded the programm and tried out. But the programm said, that the two files are not matching. so i tried others an nothing worked for me...

 

HOW TO RECOVER ENCRYPTED FILES.TXT:

Spoiler

 

I know that is not much information but I hope that someone can help me.


Edited by griechae, 01 May 2017 - 09:57 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:08 AM

Posted 01 May 2017 - 11:33 AM

That's interesting, they just keep spoofing other ransomware apparently. I'm not seeing any submissions of the .CRYPTOBOSS extension with the filename renamed.

 

The note definitely looks like Globe3, and I've had that email confirmed from some other sample. Please share the file pairs you are trying. It has to be an encrypted file and it's original. They will be the same filesize, and must be over 64KB.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 griechae

griechae
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 02 May 2017 - 12:29 AM

I have tried it with several mp3s. the infected is from the pc the non-infected is from my smartphone. is this even possible?

 

https://www.sendspace.com/file/2039ae



#4 Walter1337

Walter1337

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 02 May 2017 - 03:11 AM

Hello guys,

 

i have the same encryption ransomware on a server.

My luck is, that i have backups which i can use.

But every time when i restore the system, a few days later the ronsomware begins again to encrypt the files.

Does anyone know how i can remove this malware out of my system?

 

I used ESET Security and Malwarebytes Anti Malware but the Software dont found anything.

 

@griechae

I'm sorry that I use our topic, but I think we need more information about this ransomware, also for other people that have the same problem.

It would be great if we could solve this problem together.

Do you don't have a backup of your computer?

 

Greetings from germany



#5 griechae

griechae
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:08 PM

Posted 02 May 2017 - 08:10 AM

i am from germany too, so we can talk german in pm when necessary.

 

which server version are you using? my pc is a small "homeserver" with windows server 2011.

i have some backups but just from some files not the complete system. my pitch was that one usb hdd i used for some backups crashed...
 

do you use remote-desktop? somehow i have the guess that they used this connection to infect the system.


Edited by griechae, 02 May 2017 - 08:13 AM.


#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:08 AM

Posted 02 May 2017 - 08:48 AM

Looks like we're dealing with another imposter of Globe. There's 32 bytes appended to the end of the file, and a bit of a filemarker at the beginning it looks like. Still encrypts only 64KB.

 

This looks like the Amnesia variant in this topic: https://www.bleepingcomputer.com/forums/t/645659/amnesia-file-amnesia/

 

We have a sample queued for analysis at some point.


Edited by Demonslay335, 02 May 2017 - 08:49 AM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users