GlobeImposter 2.0 Infection

[CSRTech 0]

3 weeks ago our Server was compromised by weak passwords and an open/non-standard RDP port.  Compound that with a failed backup scheme which had not been checked for a while and we have a worst case scenario here. 

The file extension for the encrypted files is PAYCYKA.  ID Ransomware has identified this attack as a GlobeImposter 2.0  infection by the demand file named "how_to_back_files.html" (attached) and referenced a "[email protected]" email address.  The initial ransom demand of 2 bitcoins was paid and we were provided a "dec.exe" file which failed to decrypt the encrypted files with a "HMAC check failed: wrong key, or file corrupted" error after each file.  After further email exchanges with the crooks an additional 1.5 bitcoins were paid and another "dec.exe" file was provided that also failed to decrypt the files with the same error.

It appears we have found a dishonest variant of the ransomware crooks but we still need to get our files decrypted if possible.  My research shows no known decrypters for GlobeImposter 2.0.

I have attached the ransom demand file and the encryption executable (new.exe inside new.zip) as well as 2 pairs of encrypted/decrypted files.  Any assistance that can be provided will be appreciated greatly!

 

 

how_to_back_files.html

LICENSE.txt

LICENSE.txt.paycyka

new.zip

VERSION.VER

VERSION.VER.paycyka

[Fabian Wosar 390]

Can you send the decrypter executables that you got from the crooks?

[CSRTech 0]

DEC.exe was the first; DEC1.exe was the second (original name was also DEC.exe)

dec.exe

dec1.exe

[rrr 0]

On ‎5‎/‎11‎/‎2017 at 2:58 PM, CSRTech said:

 

 

[rrr 0]

We have the same, is there a solution for this?

 

[CSRTech 0]

Not that I have found.

[nitop 0]

Are there any information available which way Globeimposter 2.0 is using to get active?

I read about a possiblity after RDP login attacks. A system in our datacenter, which is affected by GlobeImposter 2.0, is only available trough an VPN tunnel to the customer and directly via NAT from our office location. Our local network has been scanned without any infection found. Although i guess more systems in our datacenter would be affected, if our office network were irrupted.

The affected system is a windows server 2012 R2, which was 99% up2date and used for remote desktop services. The ransomware started crypting files this monday (19th June).

Only on Windows update was missing (KB4022726 montly rollup). The update was released on 9th June and got installed on 14th, so we have just a time frame of five days not running with the most recent windows updates. 

CollectStrategy.host

CollectStrategy.host.FIXI

DeviceModel.host

DeviceModel.host.FIXI

how_to_back_files.html

[rodvelcar 0]

On 11/5/2017 at 4:58 PM, CSRTech said:

DEC.exe was the first; DEC1.exe was the second (original name was also DEC.exe)

dec.exe

dec1.exe

can i got the files ?

[GT500 823]

22 hours ago, rodvelcar said:

can i got the files ?

If it was possible for the decryption tool to work on other computers, then someone would have released a free decrypter.

[CSRTech 0]

10 hours ago, GT500 said:

If it was possible for the decryption tool to work on other computers, then someone would have released a free decrypter.

Not to mention they didn't even work on the PC they were supposed to work on.  Incompetent Crooks!

[GT500 823]

That is (unfortunately) one of the risks when paying a ransom like that. There can be any number of reasons why the decryption tool they send you might not work (if they bother sending you one).

[trocolo 0]

On 11/05/2017 at 23:58, CSRTech said:

DEC.exe was the first; DEC1.exe was the second (original name was also DEC.exe)

dec.exe

dec1.exe

Hello

I'am a malware analyst could you please share your file on a mega.nz link please ?

I can't download the atachments on the post

I got last week a new variant of Globimposter

the crooks send us the decryptor but some files failed to decrypt with same error .

sample..docx HMAC check failed:  wrong key, or file corrupted.

Some files i got them decrypted some not .

Asked crooks for new decryptor and no more response.

i share the decryptor with you guys in atachment.

Hope someone could send me  the files dec.exe and dec1.exe would be nice please.

Thanks guys

 

 

decryptor.rar

[GT500 823]

13 hours ago, trocolo said:

Hope someone could send me  the files dec.exe and dec1.exe would be nice please.

Those files won't work for you. The decrypters that the criminals send to those who pay only work on one computer, because the ransomware generates different public/private keys for every computer it infects.

On top of that, the opening poster said that the decrypter the criminals sent them didn't even work on the computer they were intended for. Those files are basically useless.

[trocolo 0]

7 hours ago, GT500 said:

Those files won't work for you. The decrypters that the criminals send to those who pay only work on one computer, because the ransomware generates different public/private keys for every computer it infects.

On top of that, the opening poster said that the decrypter the criminals sent them didn't even work on the computer they were intended for. Those files are basically useless.

GT500 you didn't understand why i'am asking for the files.

I don't need the files to use them, i know that the decrypter only works on the computer where the paired keys where generated.

I need the files do analyze them , for patterns ... not to use them LOL

as i told before i'am malware analyst.

 

[GT500 823]

15 hours ago, trocolo said:

as i told before i'am malware analyst.

Then you should already know how to get them.

[vishal 0]

i wan a requited GlobeImposter 2.0 Ransomware.exe file if you have plz send me on my personal mail ID  

[GT500 823]

On 2/16/2019 at 8:45 AM, vishal said:

i wan a requited GlobeImposter 2.0 Ransomware.exe file if you have plz send me on my personal mail ID  

GlobeImposter 2.0 generates new keys for each computer it infects, so a decryption tool sent to another victim won't decrypt your files, as your private key will be different from theirs.