Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Globe or Dharma Variant using EternalBlue exploit?? .wallet extension


  • Please log in to reply
8 replies to this topic

#1 whizzit

whizzit

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 16 May 2017 - 01:57 AM

Hi Everyone,

A new client of mine was hit by what looks to me like a new variant of the Globe ransomware, which seemed to have infected their web server machine via the EternalBlue SMB Exploit (this machine was susceptible) and came through on the 14/05/2017. Wanting to give the heads up and also look for confirmation of what I am dealing with here. 

 

Ransomware Info:

 

For all accounts and purposes this looks like the Globe ransomware to me due to the ransomware note left behind. The .wallet extension would indicate Dharma normally but unless they have started using Globe ransom notes I do not think it is, and ID Ransomware agrees it is also Globe.

Then there is this tweet when searching the email address: https://twitter.com/drProct0r/status/857908944345456640

 

Drops a ransom note titled "How to restore files.hta" and here is a screenshot: http://imgur.com/a/uSrX5

Contact email is a new one: inter7a@tutanota.com

 

Leaves file names intact but adds ".[inter7a@tutanota.com].wallet" to the extension.

I was excited at first knowing a fair few Globe/2/3 decryption tools are out there now, but none of them have been successful in decrypting.

 

Below is a link for a sendfiles dump of the following:

- Encrypted Font File (Gotham Bold)

- Original Unencrypted Version of same Font File

- Ransom Note as a TXT File

- JPG Screenshot of Ransom File

 

Password: kfMve2qI

 

Before anyone says this is a broken version of globe, I have been in contact with the crooks behind this ransomware on the email provided, which they replied promptly asking for 0.5 BTC and saying it would increase to 0.7 BTC by tomorrow. I sent them an encrypted text file which they returned fully decrypted, so they are obviously able to decrypt.

 

I am thinking this is a Globe reboot rushed out to take advantage of the EternalBlue exploit right behind WannaCry, timing & use of exploit would indicate so.

 

If anyone needs any more info, or need further files for analysis or even has a recommendation of what we can try to decrypt (which is a lot easier than rebuilding this server) that would be much appreciated.

 

HTH.


Edited by whizzit, 16 May 2017 - 02:01 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:29 AM

Posted 16 May 2017 - 06:10 AM

You could be dealing with a dual ransomware infections...reports of that occurring are not uncommon.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,071 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:29 AM

Posted 17 May 2017 - 05:58 AM

Hi whizzit,

 

I believe this the broken version of Globe 1. They messed up their crypto implentation, so that not even they can restore your files.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 whizzit

whizzit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 18 May 2017 - 01:37 AM

Hey Guys,

 

It can't be the broken globe 1, as they were able to decrypt some of the files I sent them as proof they were able to decrypt. I don't see how they could decrypt the test files otherwise?

 

I don't think its a dual infection either, as again the email in the ransom note & also in the file names all lines up, along with the strange use of the .wallet extension.

There is no other sign of another infection, file or ransom note on the machine.

Thanks



#5 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,071 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:29 AM

Posted 18 May 2017 - 11:28 AM

Hi whizzit,

 

Actually, I checked the file pair and it seems like the encrypted file and unencrypted file are different versions, i.e. there are changes between files meaning that they aren't an exact file pair. Can you find another file pair for me please? :)

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#6 whizzit

whizzit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 19 May 2017 - 09:17 AM

Hey Toffee,

 

Check here for some more examples. Sorry I only have a limited amount from the backup, hopefully this is enough.

 

Password: ZrFynY7B


#7 faccan

faccan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:29 AM

Posted 20 May 2017 - 11:44 AM

I have more files to compare if you need. I had been attack by the same version [inter7a@tutanota.com].wallet

 

I think that Whizzit's files are not paired as they has different sizes. 

 

Toffee  here you have a folder encrypted and its original version. I hope you or somebody could help us.

 

God bless you.

 

 
Password: ZZuWestQ

Edited by faccan, 20 May 2017 - 02:54 PM.


#8 whizzit

whizzit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:29 PM

Posted 25 May 2017 - 06:08 AM

Hey Guys,

Did anyone have any more luck properly ID'ing this ransomware? I'd love to know if any of the existing decryptors can help.

 

Some good info here: http://ransomwarehunter.com/report.php?sha256=1724c3c593d9d006260096c7b6600acd601137774d30b607ed925817055cb99e

Thanks


Edited by whizzit, 25 May 2017 - 06:13 AM.


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,071 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:29 AM

Posted 25 May 2017 - 11:49 AM

 

I have more files to compare if you need. I had been attack by the same version [inter7a@tutanota.com].wallet

 

I think that Whizzit's files are not paired as they has different sizes. 

 

Toffee  here you have a folder encrypted and its original version. I hope you or somebody could help us.

 

God bless you.

 

 
Password: ZZuWestQ

 

Couldn't get a key for any of your files despite being a valid file pair. We will need the ransomware which caused the infection itself in that case.

 

whizzit, that's the sample of the broken globe file. Did that come from your system?

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users