Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

[files4463@tuta.io] - !ReadMe_To_Decrypt_Files!.rtf


  • This topic is locked This topic is locked
15 replies to this topic

#1 gary_attfield

gary_attfield

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 21 February 2018 - 12:27 PM

Hi Everyone,
 
We have been infected with ransomware and would appreciate any help.
 
ID Ransomware says that it is Globe3 and is decryptable, however the Globe3 decryption tool doesn't fix it.
 
Cause of infection: RDP exploited, unfortunately the source PC was wiped pretty quickly so I cannot investigate that part of it.
 
We have restored the main bulk of data, however there is some archived data on a NAS that has been affected.
 
Files are completely renamed, see below for example.
 
0aYB3JUZ-J6F1GGW4.[files4463@tuta.io]
0aYB3JUZ-J6F1GGW4.[files4463@tuta.io]
0GwvpET0-GQIZZrfG.[files4463@tuta.io]
 
The read me file is named !ReadMe_To_Decrypt_Files!.rtf and looks like this.
 

WHAT HAPPENED WITH YOUR FILES?
Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.
More information about the RSA and AES can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
It mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!
If yоu wаnt tо rеstоrе yоur filеs, plеаsе writе us tо thе е-mаils:
 
files4463@tuta.io
files4463@protonmail.ch
files4463@gmail.com
 
In subjеct linе оf your mеssаgе writе yоur pеrsоnаl ID:
 
[redacted]
 
 rесоmmеnd yоu tо sеnd yоur mеssаgе ОЕАСоОUR 3 ЕМАILS, duе tо thе fасt thаt thе mеssаgе mау nоt rеаch thеir intеndеd rеcipiеnt fоа vаriеtу оf rеаsоns!
Plеаsе, writе us in Еnglish оr usе prоfеssiоnаl trаnslаtоr!
If yоu wаnt tо rеstоrе yоur filеs, yоu hаvе tо pаy fоr dесrуptiоn in Bitсоins. Thе pricе dереnds оn hоw fаst уоu writе tо us.
 
Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.
Tо cоnfirm thаt wе cаn dесryрt yоur filеs yоu cаn sеnd us up tо 3 filеs fоr frее dесrурtiоn. Plеаsе nоte thаt filеs fоr frее dесrурtiоn must NОT cоntаin аnу vаluаblе infоrmаtiоn аnd thеir tоtаl sizе must bе lеss thаn 5Mb.
Yоu hаvе tо rеspоnd аs sооn аs pоssiblе tо еnsurе thе rеstоrаtiоn оf yоur filеs, bеcаusе wе wоnt kееp yоur dеcrуptiоn kеys аt оur sеrvеr mоre thаn оne wееk in intеrеst оf оur sеcuritу.
Nоtе thаt аll thе аttеmpts оf dесryptiоn by yоursеlf оr using third pаrty tооls will rеsult оnly in irrеvосаble lоss оf yоur dаtа.
 
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе the6 hoursрlеаsе сhеck SРАМ fоldеr!
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 12 hoursрlеаsе trу tо sеnd уоur mеssаgе with аnоthееmаil sеrviсе!
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours (еvеn if уоu hаvе prеviоuslу rесеivеаnswеr frоm us), рlеаsе trу tо sеnd уоur mеssаgе with аnоthееmаil sеrviсе tо еасооur 3 еmаils!
Аnd dоn't fоrgеt tо chеck SPАМ fоldеr!ZD0oQhJ



BC AdBot (Login to Remove)

 


#2 Amigo-A

Amigo-A

  • Members
  • 507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:41 AM

Posted 21 February 2018 - 01:35 PM

Very similar to the notes that are used in a malicious campaign that distributes Matrix Ransomware.

See the one that was December 25, 2017. There are differences, but the main points are similar. 

 

I have already added this case to 'BLOCK OF UPDATES' of my article.
Let's wait what the experts will say. 

Edited by Amigo-A, 21 February 2018 - 01:49 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:41 PM

Posted 21 February 2018 - 01:54 PM

Hmm, not sure on this one. It does match by custom rule, which should be pretty accurate. I don't believe Globe3 has really been distributed for a long time.

 

Can you provide an encrypted file and its original? I know it's probably hard to find an original based on filename, but the filesize will be the same, and files are only encrypted up to about 65MB, so you can check after that to match contents in a hex editor.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Amigo-A

Amigo-A

  • Members
  • 507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:41 AM

Posted 22 February 2018 - 01:32 AM

I noticed that at the end of the quoted text about ransom there are hidden signs. ZD0oQhJ
See the picture.
 
Screenshot_1.png

Edited by Amigo-A, 22 February 2018 - 01:40 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#5 gary_attfield

gary_attfield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 22 February 2018 - 04:04 AM

Thanks guys. Here's a link to an encrypted file and its original.

 

https://drive.google.com/open?id=18x5y34rNaa6cXQYqOGXh23LKYnNklbDO


Edited by gary_attfield, 22 February 2018 - 08:28 AM.


#6 Amigo-A

Amigo-A

  • Members
  • 507 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:41 AM

Posted 22 February 2018 - 11:00 AM

gary_attfield  :)

To somehow help the experts, you need to provide a serious file: a photo or a document Word.

It's can be found on a flash drive, in the mail folders 'sent' or on another disk. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 gary_attfield

gary_attfield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 22 February 2018 - 11:12 AM

gary_attfield  :)

To somehow help the experts, you need to provide a serious file: a photo or a document Word.

It's can be found on a flash drive, in the mail folders 'sent' or on another disk. 

 

Ok I've updated the files



#8 fabioalex

fabioalex

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 22 February 2018 - 06:00 PM

Hello,

 

I can help too, I was victim of this ransmwere too



#9 fabioalex

fabioalex

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 22 February 2018 - 06:01 PM

I can provide files, decryptor program too for someone to study if is possible to help



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 22 February 2018 - 06:10 PM

If you have a working decrypter, you can zip and submit it here with a link to this topic along with a few encrypted files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 fabioalex

fabioalex

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 22 February 2018 - 06:23 PM

download decrypter here:

 

https://ufile.io/u18jn

 

(have decryptor and file with ID and key)


Edited by fabioalex, 22 February 2018 - 06:27 PM.


#12 gary_attfield

gary_attfield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 23 February 2018 - 05:24 AM

I've run the decrypter and it tells me I need 4 keys and has listed the keys, one of the keys is the "personal ID" the ransomers told me to put in the subject line of the email I was to send them.



#13 gary_attfield

gary_attfield
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:41 PM

Posted 23 February 2018 - 05:52 AM

If you have a working decrypter, you can zip and submit it here with a link to this topic along with a few encrypted files.

 

I have just submitted the files requested.



#14 hbtzero

hbtzero

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:41 PM

Posted 04 April 2018 - 01:21 PM

Hello. I live in Brazil. 

 

Can someone help me? I have the same problem.

 

Tks



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,391 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:41 PM

Posted 04 April 2018 - 02:16 PM

Still no definitive information on this infection that I am aware of. As typically with new ransomware reports, a Google search yields numerous references to bogus and untrustworthy removal guides with a lot of misinformation that all victims should avoid or ignore.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users