Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ZERWIX DECRYPTOR (GlobeImposter variant)


  • This topic is locked This topic is locked
6 replies to this topic

#1 Araucano2010

Araucano2010

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:07:40 PM

Posted 02 February 2018 - 07:39 AM

Hi everyone,
 
On Jan 27th, an unprotected PC got hit by a ransomware that added the crypted_zerwix@airmail_cc extension to the encrypted files. It attacked mostly text files, AFAIK. The ransom note left in each folder is named how_to_back_files.html and the contents are:
 
Attention! All your files are encrypted.
 
Your documents, photos, databases and other important files have been encrypted cryptographically strong, without the original key recovery is impossible! To decrypt your files you need to buy the special software - 
 
"ZERWIX DECRYPTOR"
 
Using another tools could corrupt your files, in case of using third party software we dont give guarantees that full recovery is possible so use it on your own risk.
If you want to restore files, write us to the e-mail: 
 
zerwix@airmail.cc
 
In subject line write "encryption" and attach your personal ID in body of your message also attach to email 3 crypted files. (files have to be less than 10 MB)
It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.
 
 
Your personal ID
 
< a bunch of hex digits>
 
Have anyone heard about this? I couldn't find anything in a google search (besides a couple of websites that have also been hit, apparently, and have the ransom note in their root folder)
 
Best regards,
 
Miguel

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:40 PM

Posted 02 February 2018 - 07:56 AM

how_to_back_files.html is used by GlobeImposter but this looks like a new variant of Yoshikada Decryptor Ransomware which uses .crypted_yoshikada@cock_lu extension appended to the end of the encrypted data filename and the ransom note instructs the victim to buy special software - "YOSHIKADA DECRYPTOR" as explained here.

Did you can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to
ID Ransomware for assistance with identification and confirmation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Araucano2010

Araucano2010
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:07:40 PM

Posted 02 February 2018 - 08:20 AM

Hi, I've just uploaded the samples and the ransom note to ID Ransomware. It gave back one result, GlobeImposter 2.0, but unfortunately, there is no way to decrypt at the moment. Fortunately, I have secure backups :)

 

Thanks for the assistance, and best regards

 

Miguel


Edited by Araucano2010, 02 February 2018 - 08:20 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:40 PM

Posted 02 February 2018 - 08:26 AM

ID Ransomware recognized the ransom note name as belonging to GlobeImposter so that's why it gave you that result.

Unfortunately, there is no known method to decrypt files encrypted by all the latest versions of GlobeImposter 2.0 without paying the ransom. Restoring from back up is the best way to deal with either infection.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amigo-A

Amigo-A

  • Members
  • 334 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:03:40 AM

Posted 02 February 2018 - 08:40 AM

 

this looks like a new variant of Yoshikada Decryptor Ransomware which uses .crypted_yoshikada@cock_lu extension appended to the end of the encrypted data filename and the ransom note instructs the victim to buy special software - "YOSHIKADA DECRYPTOR" as explained here.
 

Yes. 1-on-1

A new version of the crypto-ransomware, whom I call Yoshikada.
There are no samples of this malware so that we can compare it and identify the "genes".
I added new visual samples to the block for updates.

Edited by Amigo-A, 02 February 2018 - 09:06 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:40 PM

Posted 02 February 2018 - 09:18 AM

That's a GlobeImposter 2.0 decrypter. This is definitely just another GlobeImposter variant, along with "Zerwix".

Post #9
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:40 PM

Posted 02 February 2018 - 11:38 AM

Since the infection has been properly identified by Demonslay335 as GlobeImposter 2.0, all victims should refer to the below support topic discussion.To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users