Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


GlobeImposter 2.0 - .FORESTGUST extension - sambuka_star

  • This topic is locked This topic is locked
3 replies to this topic

#1 musk1979


  • Members
  • 2 posts
  • Local time:01:16 AM

Posted 01 August 2018 - 12:41 PM

I was a victim of Ransomware,

all files have been encrypted,

an extension was added to them: ..FORESTGUST

and a file was added to each of the catalogs: how_to_back_files.html



YOUR PERSONAL ID        72 45 BE A1 48 12 FE C6 8E BF 80 92 54 68 B1 E1 06 97 36 17 D6 DA BE 4B 40 34 30 52 98 3E B0 78 2C 22 A1 E5 22 8E E6 67 63 02 5C 8E E9 24 63 3E 34 9A 0E 50 DB 82 D6 A6 A6 37 CB 6A 35 05 70 AF 20 26 FD A5 4F 0E 76 A6 72 D8 D0 69 3F 6D 1D F2 0F C4 05 56 3C D6 72 3F 28 1D 04 CE DE 2E 14 09 B8 0D BC 3B C6 FF 7D B8 38 57 5D C8 EE F3 2F 2F BC 51 F7 D8 E8 F4 87 F2 53 E4 FF F1 3C E5 33 54 6C CC 8D 0F D4 F0 13 4B D7 7A E9 59 90 B2 80 87 0B 91 79 2C EE F0 DE F3 67 E1 5A B8 6F D8 9F 36 39 0F 31 17 5D 8F 39 B9 FA A7 49 75 16 0C 26 EC 7C 51 BE 54 35 5D 2E D9 92 D3 2B 5E C9 23 F7 EC 08 D9 26 5C 69 51 20 D1 E3 F4 4A D5 07 60 C2 40 C5 53 2F 87 F7 93 A8 72 E3 6E 98 60 9A 11 30 F8 D8 BA 57 DC D9 ED A4 AD CB 5C CF 9C 19 FC 19 FC 13 B6 31 DF B9 51 A6 FC 1B 1D 9B 5C B9 2D ED E9        ENGLISH ☠ YOUR FILES ARE ENCRYPTED! ☠ TO DECRYPT, FOLLOW THE INSTRUCTIONS BELOW. To recover data you need decryptor. To get the decryptor you should: Send 1 crypted test image or text file to sambuka_star@aol.com (Or alternate mail sambuka_star@india.com) In the letter include your personal ID (look at the beginning of this document). We will give you the decryption file. After payment, we have the decoder. MOST IMPORTANT !!! We are ready to work through intermediaries and guarantors. Only sambuka_star proof can decrypt your files. Antivirus programs can delete this document and can not contact us later. Attempts to self-decrypting files will result in the loss of your data. Decoders other users are not compatible with your data.








at https://id-ransomware.malwarehunterteam.com I received this message:



GlobeImposter 2.0  


This ransomware has no known way of decrypting at this time. It is recommended to backup your encrypted files, and hope for a solution in the future. Identified by ransomnote_filename: how_to_back_files.html ransomnote_email: sambuka_star@india.com sample_extension: .FORESTGUST custom_rule: victim ID in encrypted file Click here for more information about GlobeImposter 2.0



Does this mean that I can not count on recovering files?

BC AdBot (Login to Remove)


#2 musk1979

  • Topic Starter

  • Members
  • 2 posts
  • Local time:01:16 AM

Posted 01 August 2018 - 12:44 PM

file with info: https://www.dropbox.com/s/gegbtr2sau0jd0j/how_to_back_files.html?dl=0

#3 cybercynic


  • Members
  • 560 posts
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:07:16 PM

Posted 01 August 2018 - 03:30 PM



"Does this mean that I can not count on recovering files?"


Yes.it is not known when or if a method will be devised to decrypt the files. The only way currently to get your files decrypted is to pay the extortionists, and this doesn't always work.

Sometimes they do nothing after you pay, sometimes they send you a faulty decrypter. Best to backup the encripted files and HOPE for a future solution (but don't count on it).

We are drowning in information - and starving for wisdom.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,935 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:16 PM

Posted 01 August 2018 - 06:24 PM

Unfortunately, there is no known method to decrypt files encrypted by all the latest versions of GlobeImposter 2.0 without paying the ransom. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus and untrustworthy removal/decryption guides.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections.

When or if a decryption solution is found, that information will be provided in that support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the Bleeping Computer front page.

To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users