Ransomware .MIXI extension

[hoptis]

Hello,

My computer has been infected by a ransomware and all the files are encrypted with .MIXI extension. I run a small business and even if i had the money to pay it is to late.

Can someone be gentle enough to help me and tell me what is the decryptor that i should use?

Best regards edouard.

[Fabian Wosar]

Can you please upload the ransom note and one encrypted file to https://id-ransomware.malwarehunterteam.com and post the result link here? Thanks.

[hoptis]

First of all thank you for answering me. Here is what you asked. I cannot find a decrypter for this rensomware and impossible to recover data with any software. Thank you again for your help.

1 Result

GlobeImposter 2.0

 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

• ransomnote_filename: how_to_back_files.html
• ransomnote_email: [email protected]
• sample_extension: .MIXI
• custom_rule: victim ID format

[hoptis]

https://id-ransomware.malwarehunterteam.com/identify.php?case=4230acc57d77c84d956cf2fbcdf5320626287425

[GT500]

There is currently no known way to decrypt files that have been encrypted by GlobeImposer 2. You can try ShadowExplorer and see if the ransomware failed to delete Volume Shadow Copies. If they were deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies the odds of there being backup copies of important files in them are low to begin with. This is a rather advanced method of recovery, so it may be necessary to find a local computer technician who can assist you.

[Maulserdi]

How to avoid of this virus and is it https://id-ransomware.malwarehunterteam.com/ reliable?

[GT500]

14 hours ago, Maulserdi said:

How to avoid of this virus

We have a few articles on ransomware, including where it comes from, how it works, and how to prevent it:

• Spotlight on ransomware: Ransomware encryption methods
• Spotlight on Ransomware: How ransomware works
• How to remove ransomware the right way: A step-by-step guide
• How to identify your ransomware infection to find the right decrypter tool
• The big ‘R’: Ransomware. Why businesses and institutions are at risk and what to do about it
• Ransomware for Hire: 3 Steps to Keeping Your Data Safe

It's important to keep in mind that different ransomwares are different, however here are some common ways this sort of infection spreads:

1. Through e-mail. It's very common to receive e-mails that have malicious attachments, and with certain ransomwares (especially Locky) they like to send an e-mail pretending to be information (such as an invoice) from a shipping company or something similar. In the case of Locky the malicious file is inside a ZIP archive, so you don't know what it is before you download it and extract it.
2. Online advertisements. It is not abnormal for people with malicious intent to abuse advertisements on legitimate websites in order to spread infections. One of the worst cases of this happened several years ago where a ransomware (I would believe CryptoWall) was being spread through advertisements on several of Yahoo!'s websites in advertisements. The criminal behind CryptoWall had paid to put advertisements on Yahoo!'s websites, and the advertising company that Yahoo! uses didn't notice that the advertisements contained malicious code that I would believe was from an exploit kit (exploit kits allow automated installation of infections when people visit a webpage where the exploit kit is present).
3. Direct hacking. While I often hesitate to use the word "hack" here, it is how most people would understand it. What happens is that scripts being run by criminals scan the Internet looking for computers with certain open ports in firewalls that allow them access to vulnerable services. When the script finds computers with vulnerable ports, the information is logged, and an actual person will select computers from the list of potentially vulnerable systems that were found and begin trying to gain access to them. A particular favorite, since it usually means they found a business they can extort for money, is Microsoft's Remote Desktop (RDP), which if they find an open port for they will try to brute force the password for administrator accounts and see if they can get in. If they manage to get in, they will then manually disable any security software and manually execute their ransomware on the victim's computer.

Obviously there are other ways you can run in to ransomware as well. Downloading files from unsafe websites and/or file sharing networks for instance.

As for online advertisements, we usually recommend uBlock Origin to block those. You can get uBlock Origin for Mozilla Firefox and Microsoft Edge. For Google Chrome and Vivaldi I recommend both uBlock Origin and uBlock Origin Extra to help avoid advertisements that would otherwise circumvent uBlock Origin's protection.

I also highly recommend uninstalling or disabling the Adobe Flash Player, as well as uninstalling or disabling Java (if you need Java for some sort of application or game that does not run in your web browser, then disabling the Java plugin is enough to protect your web browser).

 

14 hours ago, Maulserdi said:

is it https://id-ransomware.malwarehunterteam.com/ reliable?

Yes, ID Ransomware is maintained by Michael Gillespie, who works closely with our team and with BleepingComputer.com on ransomware analysis, as well as creation of free decryption tools.