A new client of mine was hit by what looks to me like a new variant of the Globe ransomware, which seemed to have infected their web server machine via the EternalBlue SMB Exploit (this machine was susceptible) and came through on the 14/05/2017. Wanting to give the heads up and also look for confirmation of what I am dealing with here.
For all accounts and purposes this looks like the Globe ransomware to me due to the ransomware note left behind. The .wallet extension would indicate Dharma normally but unless they have started using Globe ransom notes I do not think it is, and ID Ransomware agrees it is also Globe.
Then there is this tweet when searching the email address: https://twitter.com/drProct0r/status/857908944345456640
Drops a ransom note titled "How to restore files.hta" and here is a screenshot: http://imgur.com/a/uSrX5
Contact email is a new one: firstname.lastname@example.org
Leaves file names intact but adds ".[email@example.com].wallet" to the extension.
I was excited at first knowing a fair few Globe/2/3 decryption tools are out there now, but none of them have been successful in decrypting.
Below is a link for a sendfiles dump of the following:
- Encrypted Font File (Gotham Bold)
- Original Unencrypted Version of same Font File
- Ransom Note as a TXT File
- JPG Screenshot of Ransom File
Before anyone says this is a broken version of globe, I have been in contact with the crooks behind this ransomware on the email provided, which they replied promptly asking for 0.5 BTC and saying it would increase to 0.7 BTC by tomorrow. I sent them an encrypted text file which they returned fully decrypted, so they are obviously able to decrypt.
I am thinking this is a Globe reboot rushed out to take advantage of the EternalBlue exploit right behind WannaCry, timing & use of exploit would indicate so.
If anyone needs any more info, or need further files for analysis or even has a recommendation of what we can try to decrypt (which is a lot easier than rebuilding this server) that would be much appreciated.
Edited by whizzit, 16 May 2017 - 02:01 AM.