Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paid ransom on .726 encryption, only a few files were decrypted


  • This topic is locked This topic is locked
7 replies to this topic

#1 bobua

bobua

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 10 August 2017 - 02:07 PM

The attackers 'support' sent me a decryptor.exe file to run after paying the ransom.  it unlocked about 20 files and then said decryption complete.  Subsequent runs showed no files being unlocked, and an immediate decryption complete.  They sent me a couple more decryptor.exe files before finally giving up and ghosting me.

 

I've tried running the decryptor from different pcs(with access to the same network drive), as admin, and from different folders, all with the same result.  Is there a chance the decryption key can be extracted from decryptor.exe and manually used on the files?  Any other avenues?

 

My Recover-files-726.html file looks like this, and encrypted files end in a .726 extension.  I also tried trend micro's decryptor while choose the globe imposter setting, assuming that was correct.

 

 

 

Your files are Encrypted!


For data recovery needs decryptor.

If you want to buy a decryptor, click the button


Yes, I want to buy
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
To send a message or file use this link.
( If you send a file for free decryption, also send file RECOVER-FILES.HTML ) 
Support 
And finally, if you can not contact, follow these two steps:
1. Install the TOP Browser from this link:
torproject.org
Then open this link in the TOP browser: support

 



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:24 PM

Posted 10 August 2017 - 03:39 PM

The TrendMicro decrypter is for the first variant of GlobeImposter (which was decryptable). I think they may have made changes in 2.0, so that wouldn't work.

 

Can you zip up some encrypted files, your ransom note, and everything the criminals gave you, and submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

The criminals for this ransomware apparently have very buggy decrypters.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 bobua

bobua
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 10 August 2017 - 03:45 PM

Done



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:24 PM

Posted 10 August 2017 - 04:39 PM

One of the files you submitted has extensions ".docx.725..726". That means you were hit twice by two different versions of the malware. That probably explains why some files don't decrypt, because they were encrypted by a second, different key (from a different actor possibly).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 bobua

bobua
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 10 August 2017 - 04:51 PM

I was suspicious of that, which is why i specifically included that file.  The decrypter did seem to decrypt a few files, and then complain about corruption, however, it never even attempted to decrypt thousands of others.

 

I was hoping the decrypter uses some other method of finding encrypted files besides just searching for file extensions, like a registry entry or a mapping file somewhere.  At worst, I was hoping the encryption algorithm would be some standard and the key extracttable from the exe.



#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:24 PM

Posted 10 August 2017 - 04:57 PM

The encryption routine would be the same, but the key would not be. I haven't worked with GlobeImposter's internals much myself, but I can tell all three of the decrypters provided (two are the exact same hash), they all are configured for the .725 extension. So you would have to pay a separate criminal for the key for the ..726 layer.


Edited by Demonslay335, 10 August 2017 - 04:58 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#7 bobua

bobua
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:24 PM

Posted 10 August 2017 - 09:33 PM

The encryption routine would be the same, but the key would not be. I haven't worked with GlobeImposter's internals much myself, but I can tell all three of the decrypters provided (two are the exact same hash), they all are configured for the .725 extension. So you would have to pay a separate criminal for the key for the ..726 layer.

Damn, the 'other criminal' didn't finish or leave a decryption instruction file:(



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:24 PM

Posted 11 August 2017 - 05:24 AM

Since the infection has been identified, rather than have everyone with individual topics, it would be best (and more manageable for staff) if victims posted any more questions, comments or requests for assistance in the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users