Once again, Fabian Wosar of Emsisoft has come to the rescue and released a decrypter for version 3 of the Globe Ransomware. This decryptor will decrypt the Globe Ransomware variants that commonly append the .decrypt2017 and .hnumkhotep extensions to encrypted files. This ransomware will also display a ransom note similar to the one below.
In order to use this decrypter you will need to have an encrypted file and the same files in its unencrypted form. Using these two files, the decrypter can then determine the decryption key and recover your files. Instructions on how to use the decrypter can found below.
If you are infected with this malware, simply download decrypt_Globe3.exe from the following link and save it on your desktop:
In order to find your decryption key, you need to drag an encrypted file and unencrypted version of the same file onto the decrypt_Globe3.exe icon at the same time. So you would select both the encrypted and unencrypted version of a file and drag them both onto the executable. When trying to find a pair of files to use with the decryptor, you can use the sample pictures found in the C:\Users\Public\Pictures\Sample Pictures folder. Just look at the file sizes and pick an unencrypted sample picture and an encrypted sample picture that have the same size.
Once the key is discovered that was used to encrypt this pair of files, the same key can then be used to decrypt ALL other files on your computer.
To show what I mean about dragging both files at the same time, see the animated picture below. To create the key, I created a folder that contains an encrypted PNG file, an unencrypted version of the same file, and the decrypt_Globe3.exe program. I then dragged both the regular PNG file and the encrypted one onto the executable at the same time.
When the program starts, you will be presented with a UAC prompt as shown below. Please click on Yes button to proceed.
The decrypter will start to brute force the decryption key. This can take quiet a while, so please be patient.
When a key was able to be brute forced, it will display it an a new window like the one below.
To start decrypting your files with this key, please click on the OK button. You will then be presented with a license agreement that you must click on Yes to continue. You will now see the main Decrypter screen that displays a list of drives that will be decrypted. If there are any drive letters missing, please manually add them by clicking on the Add Folder button.
Once you have added all the folders you wish to decrypt, click on the Decrypt button to begin the decryption process. Once you click Decrypt, the program will decrypt all the encrypted files and display the decryption status in a results screen like the one below.
When it has finished, the Results tab will state Finished and all of your files should now be decrypted. If you need help getting this decrypter to work, please ask in our Globe Ransomware Support Topic.