Andre M

Decrypter for variation of GlobeImposter 2.0

Recommended Posts

I have come across a ransomware attack. Naturally their IT provider didn't have a fully thought through backup system in place and now they is in all sorts of trouble. I've gone through the system and tried every trick I know to recover the critical files they need but there is just no way to get the files back either off the computer or the backups because the backups are all encrypted as well.

So this brings me here. I've ID'ed the ransomware as GlobeImposter 2.0 but the difficulty is that the decrypter you have does not work with this variation. The encrypted files all end in ..readme. The encrypted files all appear to be slightly larger in size which is not consistent with the standard variation GlobeImposter 2.0.

When run through the decrypter for 2.0 I get a dialog box saying "Reference files missing" followed by "Please drag and drop both and encrypted and unencrypted file onto the decrypter at the same time. Make sure the files are at least 65 kb in size. Given the files are 395Kb the latter part of the message is not correct but what does the "Reference files missing" part of the message mean?

I've attached a file pre encryption and post encryption. Hopefully this will assist in working out what this variation is using.

Any assistance would be greatly appreciated.

 

Regards

Andre M

37 Maryland Water Bills.pdf

37 Maryland Water Bills.pdf..readme

Share this post


Link to post
Share on other sites

There is no decrypter for GlobeImposter 2.0 (we do have one for Globe2, as well as for GlobeImposter, but these are not the same as GlobeImposter 2.0). This ransomware is not decryptable without obtaining the private keys from the criminals who made/distributed the ransomware.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites

Hi. Don't know where to upload files, please move elswhere if needed.

We've face a big ransomware attack, using, seems to be, GlobeImposter 2.0. Surely nothing did help, so had to pay the hackers. Got the decryptor from them Posting it here, in case it will help to move closer to universal decryptor... Archive contains the html message with ID, and the decryptor itself

Decoder.zip

  • Sad 1

Share this post


Link to post
Share on other sites
2 hours ago, abond21 said:

Hi. Don't know where to upload files, please move elswhere if needed.

We've face a big ransomware attack, using, seems to be, GlobeImposter 2.0. Surely nothing did help, so had to pay the hackers. Got the decryptor from them Posting it here, in case it will help to move closer to universal decryptor... Archive contains the html message with ID, and the decryptor itself

GlobeImposter 2.0 is one of the many ransomwares that uses a public key for encryption and a private key for decryption, and generates new keys for every computer it infects. The method used to decrypt the files is well known, however it is impossible to decrypt them without the private key, which is stored on a server controlled by the criminals who made/distributed the ransomware. The only thing unique about the decrypter they sent you is the fact that it comes bundled with the private key for your computer, and since that private key was generated exclusively for your computer it won't work on anyone else's computer.

I'll go ahead and forward the decrypter they gave you to our malware analysts, however please note that I don't expect they will learn anything new that could help with developing a free decryption tool.

Share this post


Link to post
Share on other sites
On 10/18/2018 at 4:20 AM, GT500 said:

GlobeImposter 2.0 is one of the many ransomwares that uses a public key for encryption and a private key for decryption, and generates new keys for every computer it infects. The method used to decrypt the files is well known, however it is impossible to decrypt them without the private key, which is stored on a server controlled by the criminals who made/distributed the ransomware. The only thing unique about the decrypter they sent you is the fact that it comes bundled with the private key for your computer, and since that private key was generated exclusively for your computer it won't work on anyone else's computer.

I'll go ahead and forward the decrypter they gave you to our malware analysts, however please note that I don't expect they will learn anything new that could help with developing a free decryption tool.

Hello GT500, can I get a copy of the decoder.zip that abond21 uploaded, if it is legit? there is a file left behind after the GlobeImposter 2.0 ransomware that looks like it may contain various keys to decrypt the files.. I would like to test this further..

 

Share this post


Link to post
Share on other sites
23 hours ago, Estimator2112 said:

can you email me a copy of the Decryptor?

****************

Please don't post your e-mail address on the forums. It only invites spammers and scammers to send you e-mails.

The decrypter won't help you recover your files. Your private key will be different, as the ransomware generates new keys for every infected computer. If it were possible for the decrypter he was sent to help you, then we would create a free decryption tool for everyone.

 

11 hours ago, Anonymous123 said:

Hello GT500, can I get a copy of the decoder.zip that abond21 uploaded, if it is legit? there is a file left behind after the GlobeImposter 2.0 ransomware that looks like it may contain various keys to decrypt the files.. I would like to test this further..

 

GlobeImposter 2 doesn't leave behind the private key on the infected computer. If it did, then we would release a free decryption tool so that everyone could recover their files.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

GlobeImposter 2 doesn't leave behind the private key on the infected computer. If it did, then we would release a free decryption tool so that everyone could recover their files.

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside. 

33101222CB19E44AC497DFD455A17ADB98597C5B1C79878C1812B87A50787F9E

Share this post


Link to post
Share on other sites

Any updates or information on this decoder or the file left behind with the possible personal ID inside?  I was infected by GlobeImposter 2.  The ransom is too much for me to afford.    I have been looking for a solution.

I noticed in my situation that if I look at the file size of the encrypted files they are all 1KB larger than the original un-encrypted files that I had backups of.  Do you think the personal ID is actually hidden inside of each of my encrypted files?

Share this post


Link to post
Share on other sites
2 hours ago, Coffee_needed123 said:

I noticed in my situation that if I look at the file size of the encrypted files they are all 1KB larger than the original un-encrypted files that I had backups of.

That's not abnormal. Encryption does change the file size.

 

2 hours ago, Coffee_needed123 said:

Do you think the personal ID is actually hidden inside of each of my encrypted files?

Sometimes encrypted files will contain extra data relevant to either decryption or identification of infected computer. Encryption processes also often alter the size of files. In this case, the extra data will not facilitate decryption of the files without first obtaining the private key, and there's no way to guess what that key is without spending thousands of years of trying random keys (aka. a "brute force" attack).

 

18 hours ago, Anonymous123 said:

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside.

I've asked our malware analysts and some third-party ransomware experts about this file. Please note that I don't expect that the data it contains will facilitate decryption of your files without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites
5 hours ago, GT500 said:

I've asked our malware analysts and some third-party ransomware experts about this file. Please note that I don't expect that the data it contains will facilitate decryption of your files without first obtaining the private key from the criminals who made/distributed the ransomware.

Ok thanks GT500 keep us posted

8 hours ago, Coffee_needed123 said:

Any updates or information on this decoder or the file left behind with the possible personal ID inside?  I was infected by GlobeImposter 2.  The ransom is too much for me to afford.    I have been looking for a solution.

I noticed in my situation that if I look at the file size of the encrypted files they are all 1KB larger than the original un-encrypted files that I had backups of.  Do you think the personal ID is actually hidden inside of each of my encrypted files?

FYI that file was found in the root of the "C:\Users\Public" folder, see if you have one also.

Share this post


Link to post
Share on other sites
19 hours ago, Anonymous123 said:

FYI that file was found in the root of the "C:\Users\Public" folder, see if you have one also.

I'm about 99% certain that the file is already known, and just not well documented publicly. TrendMicro mentions a file with a random name of similar length being in that folder in their threat details for a variant of GlobeImposter (they're not clear on what version of GlobeImposter the data covers, however from the dates it is almost certainly version 2) :
https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/ransom_fakeglobe.thaolam

Share this post


Link to post
Share on other sites
On 10/26/2018 at 8:30 PM, Anonymous123 said:

Ok thanks GT500 keep us posted

FYI that file was found in the root of the "C:\Users\Public" folder, see if you have one also.

What is the name of the file?  I am not able to look at the file you uploaded - I get the following error - 

This attachment is not available. It may have been removed or the person who shared it may not have permission to share it to this location.

Error code: 2C171/1

 

Share this post


Link to post
Share on other sites
3 hours ago, Coffee_needed123 said:

What is the name of the file?  I am not able to look at the file you uploaded - I get the following error - 

Our forums only allow authorized individuals to download attachments in certain sections, with the exception of pictures of course.

As I said, it doesn't matter. A decrypter for one computer will not work on another computer, as the keys are different for every computer.

 

3 hours ago, Coffee_needed123 said:

... file size difference.

We're already aware of the file size difference. Like many ransomwares GlobeImposter 2.0 generates an ID for each infected computer to help them identify private keys in their database, that way when people pay the ransom they know what private key to send along with their decrypter, and GlobeImposter 2.0 also appends that ID to each encrypted file. Presumably that allows them to identify a specific victim even if the victim somehow lost their ID number.

 

On 10/25/2018 at 9:22 PM, Anonymous123 said:

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside. 

33101222CB19E44AC497DFD455A17ADB98597C5B1C79878C1812B87A50787F9E

I'm fairly certain it's just the ID number they use to match victims with private keys in their database. These ID's aren't used in key generation, so they wouldn't provide any information that would aid in discovering the private key.

Share this post


Link to post
Share on other sites
On 10/25/2018 at 9:22 PM, Anonymous123 said:

Ok, FYI I have attached the file that was left behind.. looks related as it has the personal ID inside. 

33101222CB19E44AC497DFD455A17ADB98597C5B1C79878C1812B87A50787F9E

I've been told that this appears to be a cipher that has been encrypted with the public key, so whether it contains anything pertinent to decryption or not doesn't matter, as you'd need the private key to decrypt before it could be usable.

Share this post


Link to post
Share on other sites
4 hours ago, GT500 said:

I've been told that this appears to be a cipher that has been encrypted with the public key, so whether it contains anything pertinent to decryption or not doesn't matter, as you'd need the private key to decrypt before it could be usable.

Ok thanks GT500

 

Share this post


Link to post
Share on other sites
12 hours ago, Coffee_needed123 said:

I have attached a copy of my Ransom Note and a copy of an encrypted file along with a original un-encrypted version of the file so you can see the file size difference. The Halloween theme seems appropriate ;)

how_to_back_files.html

IM001036.jpg.crypt

Hi Coffe_needed123 with the .crypt extension are you sure its Globe Imposter 2.0? apparently CryptXXX uses that extension and may be able to be decrypted with a tool..

Share this post


Link to post
Share on other sites
10 hours ago, Anonymous123 said:

Hi Coffe_needed123 with the .crypt extension are you sure its Globe Imposter 2.0? apparently CryptXXX uses that extension and may be able to be decrypted with a tool..

Thanks for the tip Anonymous123.  I will give that a try as I am not positive on which Ransomware I am infected with, but "id-ransomware.malwarehunterteam.com" has ID'ed it as GlodeImposter 2.0

Share this post


Link to post
Share on other sites
4 hours ago, Coffee_needed123 said:

Thanks for the tip Anonymous123.  I will give that a try as I am not positive on which Ransomware I am infected with, but "id-ransomware.malwarehunterteam.com" has ID'ed it as GlodeImposter 2.0

That identification appears to be correct. GlobeImposter has been using ".crypt" as a file extension for a while as well. Different variants will use different extensions, possibly to mark different variants of the ransomware (like a version number), and possibly to make it more difficult for victims to find information.

Share this post


Link to post
Share on other sites
17 hours ago, GT500 said:

That identification appears to be correct. GlobeImposter has been using ".crypt" as a file extension for a while as well. Different variants will use different extensions, possibly to mark different variants of the ransomware (like a version number), and possibly to make it more difficult for victims to find information.

Thanks GT500.  Sounds like I am stuck hoping someday someone figures out a fix for this one.....

Share this post


Link to post
Share on other sites
4 hours ago, Coffee_needed123 said:

Thanks GT500.  Sounds like I am stuck hoping someday someone figures out a fix for this one.....

Every now and then a computer security company working with law enforcement will gain access to a server operated by criminals who make/distribute ransomware, and "liberate" the database of decryption keys, which allows for the creation of a free decryption tool. Hopefully this will eventually happen for GlobeImposter 2.0 as it has with GandCrab and a few others.

Share this post


Link to post
Share on other sites

hai. i'm new in this thread 

i want to ask my file has changed from .pdf to .pptx

all my file change to .pptx 
example myfile.pdf.pptx

i'm using win 7 x64 and antivirus GData Antivirus Business and still undetected

 

thank you from indonesia.

 

Share this post


Link to post
Share on other sites
16 hours ago, M.Azzuri said:

i want to ask my file has changed from .pdf to .pptx

all my file change to .pptx 
example myfile.pdf.pptx

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

Unfortunately there's no known way to decrypt files encrypted by GlobeImposter 2.0 without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites

About the keys and the decryptor obtained from the hackers - I have been infected with this ransomware as well and what I did was I obtained so called "private identification key"
from another infected individual and sending my own files from two different email addresses with two (my own and his) idetification keys to the hackers for free decryption. Both files were successfully decrypted, maybe there is a chance that this decryptor posted here would work with more than one infected computer?

How can we check this? No way to write a private message to Abond21, neither posting your email here. Any solution just to try it out?

Share this post


Link to post
Share on other sites
8 hours ago, cormac said:

... maybe there is a chance that this decryptor posted here would work with more than one infected computer?

If that were possible, then we would make a free decrypter for victims to use.

GlobeImposter 2.0 has an ID in the encrypted files that allows the criminals who made/distributed it to find the correct decryption key in their database. In this case they simply made a mistake, and didn't realize that the same person sent them two files from the same computer using different e-mail addresses.

Share this post


Link to post
Share on other sites
10 hours ago, houzz said:

Can you send me a decrypter, please?

Unfortunately there is no known way to decrypt files that have been encrypted by the GlobeImposter 2.0 ransomware without first obtaining the private key from the criminals who made/distributed it.

Share this post


Link to post
Share on other sites

No, there is no new information about GlobeImposter 2.0.

I recommend keeping an eye on BleepingComputer's newsfeed, as if there is any news about a decrypter then they would almost certainly report on it:
https://www.bleepingcomputer.com/

They also have an RSS feed if you have an RSS feed reader:
https://www.bleepingcomputer.com/feed/

Share this post


Link to post
Share on other sites
20 hours ago, GT500 said:

No, there is no new information about GlobeImposter 2.0.

I recommend keeping an eye on BleepingComputer's newsfeed, as if there is any news about a decrypter then they would almost certainly report on it:
https://www.bleepingcomputer.com/

They also have an RSS feed if you have an RSS feed reader:
https://www.bleepingcomputer.com/feed/

Thanks for your time.

I'm in contact with them in order to recover my files. They asked me 3 files crypted to decrypt as proof of they can do it. I have those files decrypted right now. Is there something that community can do with those files?

Thanks in advance.

Share this post


Link to post
Share on other sites
6 hours ago, N3K0 said:

Is there something that community can do with those files?

Unfortunately no. Only the criminals have the private key, so for now they're the only ones who can decrypt the files or make a decryption tool that can decrypt them.

Share this post


Link to post
Share on other sites

I’m helping a large high school 2000+ users with take home laptops, contain and clean a Globeimposter2 ransomware infection.

they had within rapid succession 12-15 users encrypted their files and 200+ Student machines triggering Emotet c&c behavior on Cisco’s firepower IPS.

Has anyone heard of globeimposter spread laterally in a network  anywhere? Have any of you seen it deployed in pay for malware as service type, with Emotet/qokbot? 

Trying to figure out what if any correlation there could be  

Share this post


Link to post
Share on other sites
On 3/12/2019 at 10:56 PM, Mitchael said:

Have any of you seen it deployed in pay for malware as service type, with Emotet/qokbot? 

Emotet is a trojan, and trojans can be used to install other payloads. Granted Emotet is a banking trojan, however it is entirely possible for someone to have ripped off Emotet code or features for use in a trojan to spread ransomware.

 

On 3/12/2019 at 10:56 PM, Mitchael said:

Has anyone heard of globeimposter spread laterally in a network  anywhere?

It's technically possible for any malware to spread this way. Many ransomwares have done this in the past simply due to how vulnerable Windows Networking services are, and because many organizations keep vulnerable systems around long after they should have been decommissioned, or are simply too slow at deploying security patches to keep their systems safe.

Also, keep in mind that in many cases where a business or government agency is compromised with ransomware like this, the attacker had actually gained direct access to their workstations by brute forcing RDP credentials and then manually installed the ransomware on as many workstations as possible. It's also fairly common for phishing to be used to steal credentials so that they can be used to gain access to internal systems.

If it is RDP compromise, then here's some basic getting started steps for dealing with it:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites
19 hours ago, syam said:

can you email me a copy of the Decryptor?

There is no working decrypter for GlobeImposter 2.0.

Share this post


Link to post
Share on other sites

@Blacksharks

Compare this information with yours. All the same as by you? 

 

Extension: .DOCM
Ransom note: Restore-My-Files.txt
Email: [email protected]

Tor URL: 
xxxx://decrmbgpvh6kvmti.onion/
xxxx://helpinfh6vj47ift.onion/

Text on alternative site:
If you want to buy a decryptor
send e-mail to [email protected]

This is in the Update June 3, 2019 in my article GlobeImposter Ransomware
Victims sent me samples. Test results: VT + VMR  - Perhaps they will help decryption specialists figure out something.

There is no free way and free tool to decrypt files. Alas.

Share this post


Link to post
Share on other sites

Just got infected, got lucky to react fast and stop encrypting before my imprtant stuff got encrypted. Managed to stop it by turning off pc and disabling from start up and disconnecting lan cable. Now I am in safe mode. Becouse I still have my files unencrypted, I would like if someone could my help how to get rid of the this virus without formating whole system.

I deleted files in temp folder, file from startup "Sdfsd" and all suspicious files next to that one in appdata. Deleted .job file in windows/Task folder.

Encrypted files are .DOCM 

Does this virus spread if I connect usb to my pc and than somewhere else. Is it safe if it does to after unpluging from infected system to format usb using otg adapter with android phone and then putting programs for removal of virus.

Virus started by encrypting most of the desktop and than my 😧( cannot remove smiley for some reason)D disk drive folders from the bottom to the top by name. I stoped it while it was encrypting steamlibary, luckily I had se big games in size so I had time to react.

 

As I said I would appreciate help to remove it and one last thing, is it safe to turn connection back on and go out of the safe mode?

Writing from a phone.

 

Just got an idea. Since my system is installed on ssd, but all important files are on hdd, will I be safe if I unplig hdd, reinstall windows and after that plug back hdd. Is virus only stored on system partition? Is it a smart idea to do that?

Edited by Vegetto
Idea

Share this post


Link to post
Share on other sites

Hello @Vegetto

GlobeImposter Ransomware does not delete itself after encryption. Copies of it are kept in several places.
Ransomware often take additional malicious functional, for example, to steal information and set up a remote control. Therefore, without complex anti-virus and additional measures of protection, the PC can be attacked once again.

---

You have a lot of different ideas, so it's amazing how you could catch a virus.
Disconnect all external drives while check and clean the system. But you can connect external drives only after Antivirus is installed on your PC. 
Antivirus protection must be active, actual and complex (antivirus, firewall, other security features).

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components for encrypt any new files saved and will encrypt any files you manage to decrypt. 
It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

You can use Emsisoft Anti-Malware Home (30 days for free) to scan your system, disks and be safe until you decide how to protect your PC and information on external drives.

Try not to use free antivirus software, because their security capabilities are very limited. It is better, safer and smarter to use a paid comprehensive antivirus product. It has more functionality and is able to protect your PC and your online privacy. The choice is yours...

Share this post


Link to post
Share on other sites
1 hour ago, Amigo-A said:

Hello @Vegetto

GlobeImposter Ransomware does not delete itself after encryption. Copies of it are kept in several places.
Ransomware often take additional malicious functional, for example, to steal information and set up a remote control. Therefore, without complex anti-virus and additional measures of protection, the PC can be attacked once again.

---

You have a lot of different ideas, so it's amazing how you could catch a virus.
Disconnect all external drives while check and clean the system. But you can connect external drives only after Antivirus is installed on your PC. 
Antivirus protection must be active, actual and complex (antivirus, firewall, other security features).

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components for encrypt any new files saved and will encrypt any files you manage to decrypt. 
It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):

https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

You can use Emsisoft Anti-Malware Home (30 days for free) to scan your system, disks and be safe until you decide how to protect your PC and information on external drives.

Try not to use free antivirus software, because their security capabilities are very limited. It is better, safer and smarter to use a paid comprehensive antivirus product. It has more functionality and is able to protect your PC and your online privacy. The choice is yours...

Thanks for the info. To clean ssd, can I just use windows built-in feature reset this pc, becouse this is my only pc at the time in the house.

Share this post


Link to post
Share on other sites
11 minutes ago, Vegetto said:

To clean ssd, can I just use windows built-in feature reset this pc, becouse this is my only pc at the time in the house.

These functions are easily captured, bypassed and used by malware.
You need to save the ransom notes and encrypted files for the future. Then you can do with your PC, whatever you want.

You can upload a note here so that I can compare with my information or compare it yourself.

 

Share this post


Link to post
Share on other sites
7 minutes ago, Amigo-A said:

These functions are easily captured, bypassed and used by malware.
You need to save the ransom notes and encrypted files for the future. Then you can do with your PC, whatever you want.

You can upload a note here so that I can compare with my information or compare it yourself.

 

I am not sure if it is safe to turn connection back on, but dont worry I have note and few files encrypted on hdd, will send them afterwards.

Forgot to mention, while installing windows is quick format fine, becouse I am not sure if I would encounter problems fully formatting ssd, becouse if I can remember fist time I installed in pc I needed to install drivers for it.(samsung 970 evo)

Edited by Vegetto

Share this post


Link to post
Share on other sites
14 minutes ago, Vegetto said:

I am not sure if it is safe to turn connection back on, but dont worry I have note and few files encrypted on hdd, will send them afterwards.

Forgot to mention, while installing windows is quick format fine, becouse I am not sure if I would encounter problems fully formatting ssd, becouse if I can remember fist time I installed in pc I needed to install drivers for it.(samsung 970 evo)

Edited

Share this post


Link to post
Share on other sites

Malicious modules can remain in any case, except when you erase (nulled) a disk, connected as a secondary to another PC. 
The wiping procedure is not always sufficient for the complete destruction of information on conventional media.

Info in SSDs are stored otherwise - in the form of blocks or pages of NAND transistor chips, which must be erased with electronically method before being reused.

Only check that the Windows installer makes a quick formatting (in its understanding).

Share this post


Link to post
Share on other sites
On 3/13/2019 at 9:56 AM, Mitchael said:

I’m helping a large high school 2000+ users with take home laptops, contain and clean a Globeimposter2 ransomware infection.

they had within rapid succession 12-15 users encrypted their files and 200+ Student machines triggering Emotet c&c behavior on Cisco’s firepower IPS.

Has anyone heard of globeimposter spread laterally in a network  anywhere? Have any of you seen it deployed in pay for malware as service type, with Emotet/qokbot? 

Trying to figure out what if any correlation there could be  

My Designer PC juz infected this Globelmposter 2.0 today. Damnnn this ransomeware encoded all the files to .docm and no way to decode it. But luckily, Globelmposter does not have ability to spread throughout LAN network automatically. BUT it can infect to another PC via shared folder. I mean if user from infected PC accesses a shared folder - all of file in this folder will be encoded. If the destination hard drive or partition has permission for everyone to access with full control, you will be cursed :D. I juz cancel all everyone full access control of other Shared folder, and format all the HDD and SDD of infected PC and reinstall OS. Hmmm now our designer is moaning and working overtime Y_Y.

Share this post


Link to post
Share on other sites
10 hours ago, Amigo-A said:

Malicious modules can remain in any case, except when you erase (nulled) a disk, connected as a secondary to another PC. 
The wiping procedure is not always sufficient for the complete destruction of information on conventional media.

Info in SSDs are stored otherwise - in the form of blocks or pages of NAND transistor chips, which must be erased with electronically method before being reused.

Only check that the Windows installer makes a quick formatting (in its understanding).

Here is the note. Managed finally to reinstall everything and I can confirm that I somehow stopped encryption on hdd. As I said before luckily all my important files are still there.

Thanks again for all the support you gave me to make this proccess a bit easier.

Restore-My-Files.txt

Share this post


Link to post
Share on other sites
12 hours ago, manlysixpacks said:

... it can infect to another PC via shared folder. I mean if user from infected PC accesses a shared folder - all of file in this folder will be encoded

Many ransomwares have the capability to access network shares and encrypt files on them. My recommendation is a backup solution where the backup media does not remain connected to the computer when not in use (such as using USB drives or tape drives).

Cloud backups are nice as well, however in many cases where ransomware is executed on a computer by an attacker who compromised RDP they will access cloud backup settings and delete any backups if they can, making the cloud backup system useless. Cloud backups also tend to be slower than having local media to restore from, which makes them less practical (I know of a hospital which paid a ransom rather than restore from cloud backups due to the amount of time restoring from cloud backups would take costing them more than the ransom).

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.