CSRTech

Member
  • Content Count

    4
  • Joined

  • Last visited

Community Reputation

0 Neutral

About CSRTech

  • Rank
    New Member

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. Not to mention they didn't even work on the PC they were supposed to work on. Incompetent Crooks!
  2. DEC.exe was the first; DEC1.exe was the second (original name was also DEC.exe) dec.exe dec1.exe
  3. 3 weeks ago our Server was compromised by weak passwords and an open/non-standard RDP port. Compound that with a failed backup scheme which had not been checked for a while and we have a worst case scenario here. The file extension for the encrypted files is PAYCYKA. ID Ransomware has identified this attack as a GlobeImposter 2.0 infection by the demand file named "how_to_back_files.html" (attached) and referenced a "[email protected]" email address. The initial ransom demand of 2 bitcoins was paid and we were provided a "dec.exe" file which failed to decrypt the encrypted files with a "HMAC check failed: wrong key, or file corrupted" error after each file. After further email exchanges with the crooks an additional 1.5 bitcoins were paid and another "dec.exe" file was provided that also failed to decrypt the files with the same error. It appears we have found a dishonest variant of the ransomware crooks but we still need to get our files decrypted if possible. My research shows no known decrypters for GlobeImposter 2.0. I have attached the ransom demand file and the encryption executable (new.exe inside new.zip) as well as 2 pairs of encrypted/decrypted files. Any assistance that can be provided will be appreciated greatly! how_to_back_files.html LICENSE.txt LICENSE.txt.paycyka new.zip VERSION.VER VERSION.VER.paycyka