3 weeks ago our Server was compromised by weak passwords and an open/non-standard RDP port. Compound that with a failed backup scheme which had not been checked for a while and we have a worst case scenario here.
The file extension for the encrypted files is PAYCYKA. ID Ransomware has identified this attack as a GlobeImposter 2.0 infection by the demand file named "how_to_back_files.html" (attached) and referenced a "[email protected]
" email address. The initial ransom demand of 2 bitcoins was paid and we were provided a "dec.exe" file which failed to decrypt the encrypted files with a "HMAC check failed: wrong key, or file corrupted" error after each file. After further email exchanges with the crooks an additional 1.5 bitcoins were paid and another "dec.exe" file was provided that also failed to decrypt the files with the same error.
It appears we have found a dishonest variant of the ransomware crooks but we still need to get our files decrypted if possible. My research shows no known decrypters for GlobeImposter 2.0.
I have attached the ransom demand file and the encryption executable (new.exe inside new.zip) as well as 2 pairs of encrypted/decrypted files. Any assistance that can be provided will be appreciated greatly!