I have come across a ransomware attack. Naturally their IT provider didn't have a fully thought through backup system in place and now they is in all sorts of trouble. I've gone through the system and tried every trick I know to recover the critical files they need but there is just no way to get the files back either off the computer or the backups because the backups are all encrypted as well.
So this brings me here. I've ID'ed the ransomware as GlobeImposter 2.0 but the difficulty is that the decrypter you have does not work with this variation. The encrypted files all end in ..readme. The encrypted files all appear to be slightly larger in size which is not consistent with the standard variation GlobeImposter 2.0.
When run through the decrypter for 2.0 I get a dialog box saying "Reference files missing" followed by "Please drag and drop both and encrypted and unencrypted file onto the decrypter at the same time. Make sure the files are at least 65 kb in size. Given the files are 395Kb the latter part of the message is not correct but what does the "Reference files missing" part of the message mean?
I've attached a file pre encryption and post encryption. Hopefully this will assist in working out what this variation is using.
Any assistance would be greatly appreciated.
37 Maryland Water Bills.pdf
37 Maryland Water Bills.pdf..readme