• Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About PhrozeNChaos

  • Rank
    New Member
  1. That is exactly what I noticed when I edited the file using a hex editor. Hopefully there is some way to decryption using this "key". I have taken my archive drive offline in hopes of this. Also, other people infected with this type of infection should probably look out for a similar file. Once again, I was infected through RDP which means the intruder was interactively in my PC and could of left items behind. @GT500 Will keep note of that. Started burning very personal items to BD-R. Takes longer but better for archival.
  2. I have archived both items, the ransom letter with the personal encryption key and the file I found. Update: I realized the virus locked one of my archive drives which had no backups.
  3. New user here, hello everyone. I was recently infected with a variant of GlobeImposter 2.0, which appends "[email protected]" on documents. I do have backups and was trying to determine how this ransomeware works and after some sector scanning on my hard drive, I noticed a non-encrypted file in my "%systemroot%\Users\Public" folder. The file was created about an hour before the attackers ran the ransomware. Please also note the attackers used RDP to get into my PC. It does not appear to be a Win32 executable as I opened it read-only with a hex editor to inspect. I found that this file contains my encryption key in addition to other data within the hex editor. Does anyone have any idea what this file is? Its 2kb in size as well. I have attached it to this message, not sure if the forum will let me. C4D0FA878011A9B5952DFC0CD4C66EBA6BE88DDF030EAAEA064F0F332A544D0D