Hesham

Infected with ransomware, please help

Recommended Posts

My server has ransomware attach (through RDP)

All valuable files now have the extension: [email protected]

I contacted the hacker and he decrypted one file. I tried globe, globe2 and globe3 with no luck.

Any advice here

Attached the decrypted, encrypted and the hta files

[email protected]m

20A0BE19-CBA4-48CA-85DD-9064AE013785.xml

!!! READ THIS - IMPORTANT !!!.hta

Share this post


Link to post
Share on other sites

Hi Hesham,

Looks like this is a new variant of ransomware, we will need a sample to analyse. You can check to see if there any suspicious files left on the system.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Hi,

It seems I've got the same ransomware, at least the same ransom-note filename and suspicion on RDP, though encrypted files extension is different: "[email protected]_hu". Also the encrypted files are 264 bytes longer than originals.

I hope encrypted/original pair would be helpful (attached).

I have my hopes high that your team will be able to come up with a remedy!

 

Best regards,

Alexei

vanmoonartech.mp3

[email protected]_hu

Share this post


Link to post
Share on other sites

Hi Alexei,

Yes, the attacker connects to the machine via RDP, so securing it is important.

As I said above, we need a sample of this ransomware.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Sarah,

I attached the original/encrypted files pair to my first message. If your research would benefit from more samples then please let me know preferable file size range for uploads.

Thanks,

Alexei

Share this post


Link to post
Share on other sites

I run a few antivirus programs, but they couldn't find any traces of the malware itself. Looks like malware creators were afraid of reverse engineering and made virus delete itself after completing of the encryption.

My post of the Bleeping Computer message board were fruitless as well, so looks like this strain is not going to be decryptable in the near future, and I left with the only option to reformat the drive and reinstall the system :(

By the way, one more detail, the ransom note hta title is"Globe", but it might be just spoof and not a new version of Globe.

Share this post


Link to post
Share on other sites

Hi Alexei,

I believe that that author may have copied the note, which is really rather annoying for us. You are best backing up encrypted files and then waiting for a possible solution.

Regards,

Sarah

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.