CSRTech 0 Posted May 10, 2017 Report Share Posted May 10, 2017 3 weeks ago our Server was compromised by weak passwords and an open/non-standard RDP port. Compound that with a failed backup scheme which had not been checked for a while and we have a worst case scenario here. The file extension for the encrypted files is PAYCYKA. ID Ransomware has identified this attack as a GlobeImposter 2.0 infection by the demand file named "how_to_back_files.html" (attached) and referenced a "[email protected]" email address. The initial ransom demand of 2 bitcoins was paid and we were provided a "dec.exe" file which failed to decrypt the encrypted files with a "HMAC check failed: wrong key, or file corrupted" error after each file. After further email exchanges with the crooks an additional 1.5 bitcoins were paid and another "dec.exe" file was provided that also failed to decrypt the files with the same error. It appears we have found a dishonest variant of the ransomware crooks but we still need to get our files decrypted if possible. My research shows no known decrypters for GlobeImposter 2.0. I have attached the ransom demand file and the encryption executable (new.exe inside new.zip) as well as 2 pairs of encrypted/decrypted files. Any assistance that can be provided will be appreciated greatly! how_to_back_files.html LICENSE.txt LICENSE.txt.paycyka new.zip VERSION.VER VERSION.VER.paycyka Quote Link to post Share on other sites
Fabian Wosar 390 Posted May 11, 2017 Report Share Posted May 11, 2017 Can you send the decrypter executables that you got from the crooks? Quote Link to post Share on other sites
CSRTech 0 Posted May 11, 2017 Author Report Share Posted May 11, 2017 DEC.exe was the first; DEC1.exe was the second (original name was also DEC.exe) dec.exe dec1.exe Quote Link to post Share on other sites
rrr 0 Posted June 6, 2017 Report Share Posted June 6, 2017 On 5/11/2017 at 2:58 PM, CSRTech said: Quote Link to post Share on other sites
rrr 0 Posted June 6, 2017 Report Share Posted June 6, 2017 We have the same, is there a solution for this? Quote Link to post Share on other sites
CSRTech 0 Posted June 6, 2017 Author Report Share Posted June 6, 2017 Not that I have found. Quote Link to post Share on other sites
nitop 0 Posted June 22, 2017 Report Share Posted June 22, 2017 Are there any information available which way Globeimposter 2.0 is using to get active? I read about a possiblity after RDP login attacks. A system in our datacenter, which is affected by GlobeImposter 2.0, is only available trough an VPN tunnel to the customer and directly via NAT from our office location. Our local network has been scanned without any infection found. Although i guess more systems in our datacenter would be affected, if our office network were irrupted. The affected system is a windows server 2012 R2, which was 99% up2date and used for remote desktop services. The ransomware started crypting files this monday (19th June). Only on Windows update was missing (KB4022726 montly rollup). The update was released on 9th June and got installed on 14th, so we have just a time frame of five days not running with the most recent windows updates. CollectStrategy.host CollectStrategy.host.FIXI DeviceModel.host DeviceModel.host.FIXI how_to_back_files.html Quote Link to post Share on other sites
rodvelcar 0 Posted December 27, 2017 Report Share Posted December 27, 2017 On 11/5/2017 at 4:58 PM, CSRTech said: DEC.exe was the first; DEC1.exe was the second (original name was also DEC.exe) dec.exe dec1.exe can i got the files ? Quote Link to post Share on other sites
GT500 860 Posted December 28, 2017 Report Share Posted December 28, 2017 22 hours ago, rodvelcar said: can i got the files ? If it was possible for the decryption tool to work on other computers, then someone would have released a free decrypter. Quote Link to post Share on other sites
CSRTech 0 Posted December 28, 2017 Author Report Share Posted December 28, 2017 10 hours ago, GT500 said: If it was possible for the decryption tool to work on other computers, then someone would have released a free decrypter. Not to mention they didn't even work on the PC they were supposed to work on. Incompetent Crooks! Quote Link to post Share on other sites
GT500 860 Posted December 28, 2017 Report Share Posted December 28, 2017 That is (unfortunately) one of the risks when paying a ransom like that. There can be any number of reasons why the decryption tool they send you might not work (if they bother sending you one). Quote Link to post Share on other sites
trocolo 0 Posted January 25, 2018 Report Share Posted January 25, 2018 On 11/05/2017 at 23:58, CSRTech said: DEC.exe was the first; DEC1.exe was the second (original name was also DEC.exe) dec.exe dec1.exe Hello I'am a malware analyst could you please share your file on a mega.nz link please ? I can't download the atachments on the post I got last week a new variant of Globimposter the crooks send us the decryptor but some files failed to decrypt with same error . sample..docx HMAC check failed: wrong key, or file corrupted. Some files i got them decrypted some not . Asked crooks for new decryptor and no more response. i share the decryptor with you guys in atachment. Hope someone could send me the files dec.exe and dec1.exe would be nice please. Thanks guys decryptor.rar Quote Link to post Share on other sites
GT500 860 Posted January 26, 2018 Report Share Posted January 26, 2018 13 hours ago, trocolo said: Hope someone could send me the files dec.exe and dec1.exe would be nice please. Those files won't work for you. The decrypters that the criminals send to those who pay only work on one computer, because the ransomware generates different public/private keys for every computer it infects. On top of that, the opening poster said that the decrypter the criminals sent them didn't even work on the computer they were intended for. Those files are basically useless. 1 Quote Link to post Share on other sites
trocolo 0 Posted January 26, 2018 Report Share Posted January 26, 2018 7 hours ago, GT500 said: Those files won't work for you. The decrypters that the criminals send to those who pay only work on one computer, because the ransomware generates different public/private keys for every computer it infects. On top of that, the opening poster said that the decrypter the criminals sent them didn't even work on the computer they were intended for. Those files are basically useless. GT500 you didn't understand why i'am asking for the files. I don't need the files to use them, i know that the decrypter only works on the computer where the paired keys where generated. I need the files do analyze them , for patterns ... not to use them LOL as i told before i'am malware analyst. Quote Link to post Share on other sites
GT500 860 Posted January 26, 2018 Report Share Posted January 26, 2018 15 hours ago, trocolo said: as i told before i'am malware analyst. Then you should already know how to get them. 1 Quote Link to post Share on other sites
vishal 0 Posted February 16, 2019 Report Share Posted February 16, 2019 i wan a requited GlobeImposter 2.0 Ransomware.exe file if you have plz send me on my personal mail ID Quote Link to post Share on other sites
GT500 860 Posted February 18, 2019 Report Share Posted February 18, 2019 On 2/16/2019 at 8:45 AM, vishal said: i wan a requited GlobeImposter 2.0 Ransomware.exe file if you have plz send me on my personal mail ID GlobeImposter 2.0 generates new keys for each computer it infects, so a decryption tool sent to another victim won't decrypt your files, as your private key will be different from theirs. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.