Andre M

Decrypter for variation of GlobeImposter 2.0

Recommended Posts

I have come across a ransomware attack. Naturally their IT provider didn't have a fully thought through backup system in place and now they is in all sorts of trouble. I've gone through the system and tried every trick I know to recover the critical files they need but there is just no way to get the files back either off the computer or the backups because the backups are all encrypted as well.

So this brings me here. I've ID'ed the ransomware as GlobeImposter 2.0 but the difficulty is that the decrypter you have does not work with this variation. The encrypted files all end in ..readme. The encrypted files all appear to be slightly larger in size which is not consistent with the standard variation GlobeImposter 2.0.

When run through the decrypter for 2.0 I get a dialog box saying "Reference files missing" followed by "Please drag and drop both and encrypted and unencrypted file onto the decrypter at the same time. Make sure the files are at least 65 kb in size. Given the files are 395Kb the latter part of the message is not correct but what does the "Reference files missing" part of the message mean?

I've attached a file pre encryption and post encryption. Hopefully this will assist in working out what this variation is using.

Any assistance would be greatly appreciated.

 

Regards

Andre M

37 Maryland Water Bills.pdf

37 Maryland Water Bills.pdf..readme

Share this post


Link to post
Share on other sites

There is no decrypter for GlobeImposter 2.0 (we do have one for Globe2, as well as for GlobeImposter, but these are not the same as GlobeImposter 2.0). This ransomware is not decryptable without obtaining the private keys from the criminals who made/distributed the ransomware.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Hi. Don't know where to upload files, please move elswhere if needed.

We've face a big ransomware attack, using, seems to be, GlobeImposter 2.0. Surely nothing did help, so had to pay the hackers. Got the decryptor from them Posting it here, in case it will help to move closer to universal decryptor... Archive contains the html message with ID, and the decryptor itself

Decoder.zip

Share this post


Link to post
Share on other sites
2 hours ago, abond21 said:

Hi. Don't know where to upload files, please move elswhere if needed.

We've face a big ransomware attack, using, seems to be, GlobeImposter 2.0. Surely nothing did help, so had to pay the hackers. Got the decryptor from them Posting it here, in case it will help to move closer to universal decryptor... Archive contains the html message with ID, and the decryptor itself

GlobeImposter 2.0 is one of the many ransomwares that uses a public key for encryption and a private key for decryption, and generates new keys for every computer it infects. The method used to decrypt the files is well known, however it is impossible to decrypt them without the private key, which is stored on a server controlled by the criminals who made/distributed the ransomware. The only thing unique about the decrypter they sent you is the fact that it comes bundled with the private key for your computer, and since that private key was generated exclusively for your computer it won't work on anyone else's computer.

I'll go ahead and forward the decrypter they gave you to our malware analysts, however please note that I don't expect they will learn anything new that could help with developing a free decryption tool.

Share this post


Link to post
Share on other sites
On 10/18/2018 at 4:20 AM, GT500 said:

GlobeImposter 2.0 is one of the many ransomwares that uses a public key for encryption and a private key for decryption, and generates new keys for every computer it infects. The method used to decrypt the files is well known, however it is impossible to decrypt them without the private key, which is stored on a server controlled by the criminals who made/distributed the ransomware. The only thing unique about the decrypter they sent you is the fact that it comes bundled with the private key for your computer, and since that private key was generated exclusively for your computer it won't work on anyone else's computer.

I'll go ahead and forward the decrypter they gave you to our malware analysts, however please note that I don't expect they will learn anything new that could help with developing a free decryption tool.

Hello GT500, can I get a copy of the decoder.zip that abond21 uploaded, if it is legit? there is a file left behind after the GlobeImposter 2.0 ransomware that looks like it may contain various keys to decrypt the files.. I would like to test this further..

 

Share this post


Link to post
Share on other sites
23 hours ago, Estimator2112 said:

can you email me a copy of the Decryptor?

****************

Please don't post your e-mail address on the forums. It only invites spammers and scammers to send you e-mails.

The decrypter won't help you recover your files. Your private key will be different, as the ransomware generates new keys for every infected computer. If it were possible for the decrypter he was sent to help you, then we would create a free decryption tool for everyone.

 

11 hours ago, Anonymous123 said:

Hello GT500, can I get a copy of the decoder.zip that abond21 uploaded, if it is legit? there is a file left behind after the GlobeImposter 2.0 ransomware that looks like it may contain various keys to decrypt the files.. I would like to test this further..

 

GlobeImposter 2 doesn't leave behind the private key on the infected computer. If it did, then we would release a free decryption tool so that everyone could recover their files.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

GlobeImposter 2 doesn't leave behind the private key on the infected computer. If it did, then we would release a free decryption tool so that everyone could recover their files.

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside. 

33101222CB19E44AC497DFD455A17ADB98597C5B1C79878C1812B87A50787F9E

Share this post


Link to post
Share on other sites

Any updates or information on this decoder or the file left behind with the possible personal ID inside?  I was infected by GlobeImposter 2.  The ransom is too much for me to afford.    I have been looking for a solution.

I noticed in my situation that if I look at the file size of the encrypted files they are all 1KB larger than the original un-encrypted files that I had backups of.  Do you think the personal ID is actually hidden inside of each of my encrypted files?

Share this post


Link to post
Share on other sites
2 hours ago, Coffee_needed123 said:

I noticed in my situation that if I look at the file size of the encrypted files they are all 1KB larger than the original un-encrypted files that I had backups of.

That's not abnormal. Encryption does change the file size.

 

2 hours ago, Coffee_needed123 said:

Do you think the personal ID is actually hidden inside of each of my encrypted files?

Sometimes encrypted files will contain extra data relevant to either decryption or identification of infected computer. Encryption processes also often alter the size of files. In this case, the extra data will not facilitate decryption of the files without first obtaining the private key, and there's no way to guess what that key is without spending thousands of years of trying random keys (aka. a "brute force" attack).

 

18 hours ago, Anonymous123 said:

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside.

I've asked our malware analysts and some third-party ransomware experts about this file. Please note that I don't expect that the data it contains will facilitate decryption of your files without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

I've asked our malware analysts and some third-party ransomware experts about this file. Please note that I don't expect that the data it contains will facilitate decryption of your files without first obtaining the private key from the criminals who made/distributed the ransomware.

Ok thanks GT500 keep us posted

8 hours ago, Coffee_needed123 said:

Any updates or information on this decoder or the file left behind with the possible personal ID inside?  I was infected by GlobeImposter 2.  The ransom is too much for me to afford.    I have been looking for a solution.

I noticed in my situation that if I look at the file size of the encrypted files they are all 1KB larger than the original un-encrypted files that I had backups of.  Do you think the personal ID is actually hidden inside of each of my encrypted files?

FYI that file was found in the root of the "C:\Users\Public" folder, see if you have one also.

Share this post


Link to post
Share on other sites
19 hours ago, Anonymous123 said:

FYI that file was found in the root of the "C:\Users\Public" folder, see if you have one also.

I'm about 99% certain that the file is already known, and just not well documented publicly. TrendMicro mentions a file with a random name of similar length being in that folder in their threat details for a variant of GlobeImposter (they're not clear on what version of GlobeImposter the data covers, however from the dates it is almost certainly version 2) :
https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/ransom_fakeglobe.thaolam

Share this post


Link to post
Share on other sites
On 10/26/2018 at 8:30 PM, Anonymous123 said:

Ok thanks GT500 keep us posted

FYI that file was found in the root of the "C:\Users\Public" folder, see if you have one also.

What is the name of the file?  I am not able to look at the file you uploaded - I get the following error - 

This attachment is not available. It may have been removed or the person who shared it may not have permission to share it to this location.

Error code: 2C171/1

 

Share this post


Link to post
Share on other sites
3 hours ago, Coffee_needed123 said:

What is the name of the file?  I am not able to look at the file you uploaded - I get the following error - 

Our forums only allow authorized individuals to download attachments in certain sections, with the exception of pictures of course.

As I said, it doesn't matter. A decrypter for one computer will not work on another computer, as the keys are different for every computer.

 

3 hours ago, Coffee_needed123 said:

... file size difference.

We're already aware of the file size difference. Like many ransomwares GlobeImposter 2.0 generates an ID for each infected computer to help them identify private keys in their database, that way when people pay the ransom they know what private key to send along with their decrypter, and GlobeImposter 2.0 also appends that ID to each encrypted file. Presumably that allows them to identify a specific victim even if the victim somehow lost their ID number.

 

On 10/25/2018 at 9:22 PM, Anonymous123 said:

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside. 

33101222CB19E44AC497DFD455A17ADB98597C5B1C79878C1812B87A50787F9E

I'm fairly certain it's just the ID number they use to match victims with private keys in their database. These ID's aren't used in key generation, so they wouldn't provide any information that would aid in discovering the private key.

Share this post


Link to post
Share on other sites
On 10/25/2018 at 9:22 PM, Anonymous123 said:

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside. 

33101222CB19E44AC497DFD455A17ADB98597C5B1C79878C1812B87A50787F9E

I've been told that this appears to be a cipher that has been encrypted with the public key, so whether it contains anything pertinent to decryption or not doesn't matter, as you'd need the private key to decrypt before it could be usable.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

I've been told that this appears to be a cipher that has been encrypted with the public key, so whether it contains anything pertinent to decryption or not doesn't matter, as you'd need the private key to decrypt before it could be usable.

Ok thanks GT500

 

Share this post


Link to post
Share on other sites
12 hours ago, Coffee_needed123 said:

I have attached a copy of my Ransom Note and a copy of an encrypted file along with a original un-encrypted version of the file so you can see the file size difference. The Halloween theme seems appropriate ;)

how_to_back_files.html

IM001036.jpg.crypt

Hi Coffe_needed123 with the .crypt extension are you sure its Globe Imposter 2.0? apparently CryptXXX uses that extension and may be able to be decrypted with a tool..

Share this post


Link to post
Share on other sites
10 hours ago, Anonymous123 said:

Hi Coffe_needed123 with the .crypt extension are you sure its Globe Imposter 2.0? apparently CryptXXX uses that extension and may be able to be decrypted with a tool..

Thanks for the tip Anonymous123.  I will give that a try as I am not positive on which Ransomware I am infected with, but "id-ransomware.malwarehunterteam.com" has ID'ed it as GlodeImposter 2.0

Share this post


Link to post
Share on other sites
4 hours ago, Coffee_needed123 said:

Thanks for the tip Anonymous123.  I will give that a try as I am not positive on which Ransomware I am infected with, but "id-ransomware.malwarehunterteam.com" has ID'ed it as GlodeImposter 2.0

That identification appears to be correct. GlobeImposter has been using ".crypt" as a file extension for a while as well. Different variants will use different extensions, possibly to mark different variants of the ransomware (like a version number), and possibly to make it more difficult for victims to find information.

Share this post


Link to post
Share on other sites
17 hours ago, GT500 said:

That identification appears to be correct. GlobeImposter has been using ".crypt" as a file extension for a while as well. Different variants will use different extensions, possibly to mark different variants of the ransomware (like a version number), and possibly to make it more difficult for victims to find information.

Thanks GT500.  Sounds like I am stuck hoping someday someone figures out a fix for this one.....

Share this post


Link to post
Share on other sites
4 hours ago, Coffee_needed123 said:

Thanks GT500.  Sounds like I am stuck hoping someday someone figures out a fix for this one.....

Every now and then a computer security company working with law enforcement will gain access to a server operated by criminals who make/distribute ransomware, and "liberate" the database of decryption keys, which allows for the creation of a free decryption tool. Hopefully this will eventually happen for GlobeImposter 2.0 as it has with GandCrab and a few others.

Share this post


Link to post
Share on other sites

hai. i'm new in this thread 

i want to ask my file has changed from .pdf to .pptx

all my file change to .pptx 
example myfile.pdf.pptx

i'm using win 7 x64 and antivirus GData Antivirus Business and still undetected

 

thank you from indonesia.

 

Share this post


Link to post
Share on other sites
16 hours ago, M.Azzuri said:

i want to ask my file has changed from .pdf to .pptx

all my file change to .pptx 
example myfile.pdf.pptx

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

Unfortunately there's no known way to decrypt files encrypted by GlobeImposter 2.0 without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites

About the keys and the decryptor obtained from the hackers - I have been infected with this ransomware as well and what I did was I obtained so called "private identification key"
from another infected individual and sending my own files from two different email addresses with two (my own and his) idetification keys to the hackers for free decryption. Both files were successfully decrypted, maybe there is a chance that this decryptor posted here would work with more than one infected computer?

How can we check this? No way to write a private message to Abond21, neither posting your email here. Any solution just to try it out?

Share this post


Link to post
Share on other sites
8 hours ago, cormac said:

... maybe there is a chance that this decryptor posted here would work with more than one infected computer?

If that were possible, then we would make a free decrypter for victims to use.

GlobeImposter 2.0 has an ID in the encrypted files that allows the criminals who made/distributed it to find the correct decryption key in their database. In this case they simply made a mistake, and didn't realize that the same person sent them two files from the same computer using different e-mail addresses.

Share this post


Link to post
Share on other sites
10 hours ago, houzz said:

Can you send me a decrypter, please?

Unfortunately there is no known way to decrypt files that have been encrypted by the GlobeImposter 2.0 ransomware without first obtaining the private key from the criminals who made/distributed it.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.