Andre M

Decrypter for variation of GlobeImposter 2.0

Recommended Posts

11 hours ago, Vegetto said:

Here is the note.

Yes, it is the same GlobeImposter-2.

11 hours ago, Vegetto said:

Thanks again for all the support you gave me to make this proccess a bit easier.

You are welcome.

Share this post


Link to post
Share on other sites
6 hours ago, GT500 said:

Many ransomwares have the capability to access network shares and encrypt files on them. My recommendation is a backup solution where the backup media does not remain connected to the computer when not in use (such as using USB drives or tape drives).

Cloud backups are nice as well, however in many cases where ransomware is executed on a computer by an attacker who compromised RDP they will access cloud backup settings and delete any backups if they can, making the cloud backup system useless. Cloud backups also tend to be slower than having local media to restore from, which makes them less practical (I know of a hospital which paid a ransom rather than restore from cloud backups due to the amount of time restoring from cloud backups would take costing them more than the ransom).

Oh god, 55k USD Y_Y''. I am juzt waiting for a cure of this ransomeware. yesterday I made a full scan for every PC in my company, luckily only 2 PCs infected (they had a shared folder between each other, so globelimposter could spread out). I isolated them and make a formatting-reinstall Windows juz for sure. I know it was a bad move, but most safety.. So scared.

Share this post


Link to post
Share on other sites

Note that if shared files on a computer were encrypted, but nothing else (meaning the computer wasn't actually infected), then you might be able to recover some files using file undelete/recovery tools or Shadow Explorer.

Share this post


Link to post
Share on other sites

Couldn't finding the malicious executable help if it's disassembled? The private key must be somewhere in there I would think, unless the program connects to the malicious server to get the key and keeps it in volatile memory while doing the encryption...

Share this post


Link to post
Share on other sites
16 hours ago, Pedro said:

Couldn't finding the malicious executable help if it's disassembled?

GlobeImposter 2.0 has been pretty thoroughly analyzed.

 

16 hours ago, Pedro said:

The private key must be somewhere in there I would think, unless the program connects to the malicious server to get the key and keeps it in volatile memory while doing the encryption...

Private keys are stored on the ransomware's command and control server so that they can't just be recovered and used for decryption.

Share this post


Link to post
Share on other sites

All my files are encrypted .DICOM
In attachment, you will find a sample of the encrypted, original file and the readme file.


All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:

----------------------------------------------------------------------------------------

| 1. Download Tor browser - https://www.torproject.org/ and install it.

| 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/
               
| 3. Follow the instructions on this page 

----------------------------------------------------------------------------------------

Note! This link is available via "Tor Browser" only.

------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
------------------------------------------------------------

alternate address - http://helpinfh6vj47ift.onion/

GlobeImposter 2.0

 This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • ransomnote_filename: Restore-My-Files.txt
  • custom_rule: victim ID in encrypted file

 

Click here for more information about GlobeImposter 2.0

 

 Would you like to be notified if there is any development regarding this ransomware? Click here.

 

Encrypted-orginal and redme file.zip

Encrypted-orginal and redme file.zip

Share this post


Link to post
Share on other sites
3 minutes ago, fekri600 said:

All my files are encrypted .DICOM
In attachment, you will find a sample of the encrypted, original file and the readme file.

All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:

----------------------------------------------------------------------------------------

| 1. Download Tor browser - https://www.torproject.org/ and install it.

| 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/
               
| 3. Follow the instructions on this page 

----------------------------------------------------------------------------------------

Note! This link is available via "Tor Browser" only.

------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
------------------------------------------------------------

alternate address - http://helpinfh6vj47ift.onion/

Encrypted-orginal and redme file.zipUnavailable

Encrypted-orginal and redme file.zipUnavailable

 

 

I have same issue!!

Share this post


Link to post
Share on other sites
2 hours ago, jomaro said:

They asking for 0.073 Bitcoin ($800)

 

Anyone done it before?

I juz cleaned up my PC by formatting and reinstalled windows. Luckily this ramsomeware does not spread out to local network automatically like Wannacry., or it is juz hiding inside.. hmm I dunno.

Share this post


Link to post
Share on other sites
4 hours ago, manlysixpacks said:

or it is juz hiding inside.. hmm I dunno.

Different malicious programs can hide in different ways. If you did a reinstall as you said, then it should not remain in the system. But perhaps you have saved some files in which there was an installation or boot file of this malware. 

Share this post


Link to post
Share on other sites
8 hours ago, fekri600 said:

All my files are encrypted .DICOM

Correction: extension .DOCM

  • Thanks 1

Share this post


Link to post
Share on other sites
On 6/23/2019 at 6:30 PM, jomaro said:

They asking for 0.073 Bitcoin ($800)

Anyone done it before?

Please do not contact the criminals yourself. If you feel it necessary to try to negotiate with them, then please have an experience third-party do this for you. There are some companies out there that can do this for you, however CoveWare is the only one I tend to remember.

 

On 6/23/2019 at 9:07 PM, manlysixpacks said:

I juz cleaned up my PC by formatting and reinstalled windows. Luckily this ramsomeware does not spread out to local network automatically like Wannacry., or it is juz hiding inside.. hmm I dunno.

GlobeImposter 2.0 does not take advantage of the EternalBlue exploit, however if you are making sure that your systems are updated then this should not be an issue regardless, as Microsoft quickly patched the vulnerability that the EternalBlue exploit used once it was disclosed.

That being said, if I remember right RDP brute force is usually the source of a GlobeImposter 2.0 infection, which means that an attacker would have directly accessed the system to download and execute the ransomware. Such an attacker would have been able to compromise other computers on the network as well unless they were discovered and stopped in time, especially if the other computers on the network used the same password for the account that the attacker brute forced the password for on the compromised system.

Share this post


Link to post
Share on other sites

I really hope No More Ransom find a vulnerability in this or something. I tried messaging these lowlives and all they care about is getting paid. 

Share this post


Link to post
Share on other sites
2 hours ago, SPAAAAACE said:

I tried messaging these lowlives and all they care about is getting paid.

That's one of the reasons why we recommend never contacting the criminals yourself. They don't have any remorse about what they're doing, and they won't feel sorry for you. A company with experience negotiating with such criminals can often get you a lower price for decryption, so it's almost always better to go that route simply for that reason.

The other major reason is that once you're in contact with criminals, they could always try to exploit you further in the future.

Share this post


Link to post
Share on other sites
45 minutes ago, GT500 said:

That's one of the reasons why we recommend never contacting the criminals yourself. They don't have any remorse about what they're doing, and they won't feel sorry for you. A company with experience negotiating with such criminals can often get you a lower price for decryption, so it's almost always better to go that route simply for that reason.

The other major reason is that once you're in contact with criminals, they could always try to exploit you further in the future.

I see. Thank you. I guess I'll just wait for a decrypter in the future, since I don't plan on cooperating with criminals. 

Share this post


Link to post
Share on other sites

Hello,

I just got infected with what appears to be GlobeImposter 2.0 according to the ID Ransomware online identifying tool. Now some of my files are encrypted with the .DOCX extension and I haven't been able to find any info on it online, also no one else seems to have the same extension as me (or hasn't posted about it online). I'm using MalwareBytes and hope my system is clean of the ransomware. (Haven't used software from Emisoft yet).

I have read everything in this thread until now and would ask for a confirmation on two things if possible (which I've bolded to make them easier to spot) - as far as I can understand, the GlobeImposter 2.0 variation is a special one, different than previous versions which basically means creating an universal decryption tool is impossible, is that correct? Because the information about encryption and keys is stored on their servers. I wanted to know whether I should keep my files while waiting for a decryptor or just delete them to free space. (And also the possibiltiy of police raiding their servers and releasing the keys as GT500 said.) I can always upload one of my encrypted files as well as the .txt notice with instructions if you want me to, just didn't deem it necessary at this point. The notice is similar to the ones posted in this thread.

Also I don't know if this has any connection to me getting infected, but it happened while I was updating my Epic Games launcher. My pc started stuttering and got hot, when I checked to see what's hijacking my CPU memory, it was the Epic Games launcher doing some high-volume updates and it appeared very strange to me, but I didn't stop it... It ran for quite some time and scanned my PC, there was a graph with 3 columns - reading, writing and downloading, with writing and downloading staying at 0%, while reading was very active, at about 150-200 MB/sec. What was it reading at such a fast speed? Could it have been encrypting the files during that time? It didn't seem like a different program was running, it was a tab from the Epic Games Store launcher... I apologize to them if it doesn't have anything to do with their program, but that's what I remember. After I closed it, the "how to decrypt your files" txt files appeared in my folders. 

Thank you and all the best.

Share this post


Link to post
Share on other sites
10 minutes ago, Heartplace said:

Hello,

I just got infected with what appears to be GlobeImposter 2.0 according to the ID Ransomware online identifying tool. Now some of my files are encrypted with the .DOCX extension and I haven't been able to find any info on it online, also no one else seems to have the same extension as me (or hasn't posted about it online). I'm using MalwareBytes and hope my system is clean of the ransomware. (Haven't used software from Emisoft yet).

I have read everything in this thread until now and would ask for a confirmation on two things if possible (which I've bolded to make them easier to spot) - as far as I can understand, the GlobeImposter 2.0 variation is a special one, different than previous versions which basically means creating an universal decryption tool is impossible, is that correct? Because the information about encryption and keys is stored on their servers. I wanted to know whether I should keep my files while waiting for a decryptor or just delete them to free space. (And also the possibiltiy of police raiding their servers and releasing the keys as GT500 said.) I can always upload one of my encrypted files as well as the .txt notice with instructions if you want me to, just didn't deem it necessary at this point. The notice is similar to the ones posted in this thread.

Also I don't know if this has any connection to me getting infected, but it happened while I was updating my Epic Games launcher. My pc started stuttering and got hot, when I checked to see what's hijacking my CPU memory, it was the Epic Games launcher doing some high-volume updates and it appeared very strange to me, but I didn't stop it... It ran for quite some time and scanned my PC, there was a graph with 3 columns - reading, writing and downloading, with writing and downloading staying at 0%, while reading was very active, at about 150-200 MB/sec. What was it reading at such a fast speed? Could it have been encrypting the files during that time? It didn't seem like a different program was running, it was a tab from the Epic Games Store launcher... I apologize to them if it doesn't have anything to do with their program, but that's what I remember. After I closed it, the "how to decrypt your files" txt files appeared in my folders. 

Thank you and all the best.

I dont think that epic games store launcher did that, unless it was other program named the same. It is possible that encryption was dalayed, in my case after I ran PUP program it did not start instantly, it started on next boot of my pc. Either way, I hope you didnt lose anything important.

Share this post


Link to post
Share on other sites

Yeah I didn't mean to badmouth them, it probably coincided with their update and felt suspicious to me because of the high-volume activity. I can't find anything about it online either, there should have been others infected too, which probably means it wasn't the launcher. I have no idea how this ransomware works and how I got it in my system, I never opened an e-mail attachment or unauthorized programs. 😰 I still hope for a recovery tool at some point in the future. 😰      

Share this post


Link to post
Share on other sites
5 hours ago, Heartplace said:

Now some of my files are encrypted with the .DOCX extension and I haven't been able to find any info on it online, also no one else seems to have the same extension as me (or hasn't posted about it online).

Have you run it through ID Ransomware yet?
https://id-ransomware.malwarehunterteam.com/

.docx is usually the extension for a Microsoft Word document (at least from Office 2007 onward).

 

5 hours ago, Heartplace said:

Haven't used software from Emisoft yet

You can run a scan with Emsisoft Emergency Kit if you'd like:
http://www.emsisoft.com/en/software/eek/

Keep in mind that most ransomware will delete itself after it finishes encrypting files.

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

Have you run it through ID Ransomware yet?
.docx is usually the extension for a Microsoft Word document (at least from Office 2007 onward).

Yeah, it said it was GlobeImposter 2.0 and that there is currently no decrypting tool available. It's weird that it's .DOCX, I guess that's just a name coincidence, because my real Word documents are encrypted as filename.docx.DOCX (capitalized).

One more thing I wanted to make clear and forgot to say in my previous post is that I didn't have Malwarebytes installed before the infection - I bought a new laptop and started using Windows 10 for the first time. Didn't re-install because I was told the new OS has a built-in anti-virus and decided it was unnecessary. Maybe if I had it on my system prior to the attack it would have stopped it (but the way I wrote it before seemed like I had it all along and it was useless in stopping it, which isn't true).

7 hours ago, GT500 said:

You can run a scan with Emsisoft Emergency Kit if you'd like:
http://www.emsisoft.com/en/software/eek/

Downloading it now, it won't hurt to double check (+ will post the results here later). I've been hesitant to attach my external HDD as I was afraid there might be some ransomware leftovers in my PC that could infect it, so It's good to be sure. 😊 Thanks for your efforts in developing these decryptor apps! But even if it turns out it's impossible to make one, life goes on. I realized I've become too dependent on my PC, perhaps our lives as a whole have become too dependent on the digital stuff that can be easily corrupted and destroyed... Undoubtedly this will have an impact on me and prompt some degree of re-evalution of my priorities and online security. Like back up the important stuff (photos, documents, etc.) and leave out the trivial that only clutter the computer.

Share this post


Link to post
Share on other sites
11 hours ago, Heartplace said:

Didn't re-install because I was told the new OS has a built-in anti-virus and decided it was unnecessary.

Yes, many techs believed Microsoft's tall stories about Windows Defender in Windows 10 being all the security anyone would ever need, and despite warnings they insisted on telling everyone to rely on Windows Defender...

 

11 hours ago, Heartplace said:

I've been hesitant to attach my external HDD as I was afraid there might be some ransomware leftovers in my PC that could infect it, so It's good to be sure.

If you want, you can post logs from FRST, and I can take a look at them and see if the scans missed anything. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Note (for user of Emsisoft Anti-Malware): When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.

Share this post


Link to post
Share on other sites

Hi everyone.
Another victim from this ransomware here, thought I would join the conversation and add something that I haven't seen mentioned.
All my files got encrypted and the extensions changed to .docx two days ago. It's a nightmare really...
When I first visited the onion site, I realized that there already was activity in three areas that I understand should be unique to the the login of each victim. I mean, the code in the ransom note should be unique to each person if these people are to have any control about who is paying and who is not, who gets the decrypter and who doesn't, and it should also be unique for the decrypter not to be able to decrypt other victims files.
Well, first thing I noticed was that the time counter (there's a two day counter until the ransom price doubles) was already quite lower than 48 hours left.
Second thing, on the "Free decrypt" tab where you can upload one file to get decrypted for free as a proof, a message said that a file was uploaded and in 12 hours max the decypted file would be available there for downloading. In fact I later downloaded the decrypted file, it was a txt file from someone, not mine.
And third thing, there's a "Messages" tab for chatting with these people. When I entered the chat, there was already a conversation going on there. A victim was asking questions to the "admin" and saying he doesn't have the money to pay the ransom. The victims name on the chat is "You". Well some time later I also wrote a message to the attacker (also appeared as "You"). There is where I realized that if some other person was in the chat and had uploaded a file for free decrypting, he had to have the same code in his ransom note that I have on mine. The truth is that at that point I was so angry that I wrote another message to the attacker laughing about the shitty system he had set, where more than one victims have the same decryption code. I told to the other victim that if one of us pay, it should work for the both of us. I'm from Spain, this other guy is from Portugal he said. We didn't say our names or give any other personal data obviously. The attacker first didn't believe we where two different people, he even said, "it's impossible". When I was thinking we were three people in the chat, we realized some of the messages were from a third victim from Morocco, as he made us know so.
It all seemed like a really bad joke, we had our own darknet party chat for ourselves!
At some point the Portuguese guy said he found a solution for his files and bye. And I reacted saying "Wait! Please help us too". I suppose it must have been one of the shadow copies recovery way or something like that (which doesn't work for me anyway). At that moment I was logged out of the site. Now when I enter again, the chat is gone, it's empty.
Just wanted to share this, because supposedly from what I've been reading, each victims decrypt key should be unique and random, and while there might me many different keys, at least not all of them are.
Something isn't working as it should for these attackers.
I don't know how many victims pay the ransom, but their decryptor might work for some other victims.
Maybe it could be a good idea to post the decryptors somewhere? or make a database of everyones ransom note data code used for login?
Hope the experts will find a solution for this thing. Thank you.

Share this post


Link to post
Share on other sites

@hernandez.pep
 

You need to attach an encrypted file and a ransom note to your new message. We will check it in the database and manually.

Share this post


Link to post
Share on other sites

There is a separate group of ransomware who run GlobeImposter Ransomware and use MS Office file extensions.

For the previous case, they used the .DOCM extension (since April, 2019), now this is .DOCX

Apparently such a trick was invented so that the affected user did not immediately notice the encryption.

There are also no free tools for decrypting files of this variants. Paid tools have only from extortionists.

Here on the forum there are several topics with the same case with .DOCM extension. This same variant, only with a modified extension. The researchers have all the samples, but nothing helps.

Share this post


Link to post
Share on other sites

Actually I found why my PCs got this ransomeware, so shame -_- this was from a keygen for a software I wanted to patch illegally, once I ran it (it required to turnoff Windows defender), globelimposter infected my PC right then. 

Share this post


Link to post
Share on other sites
8 hours ago, manlysixpacks said:

this was from a keygen for a software

Most Ransomwares get into the computer with this way. But some have a ban on the launch of the encoder on the PCs of users of some countries. GlobeImposter seems to have no limits and attacks PC users from all countries.

Share this post


Link to post
Share on other sites

A malicious program can leave Trojans and stealers of personal information on your PC after its work.

Ransomware is configured to cause the most harm and can work secretly for a long time.

Check PC with Emsisoft Emergency Kit to exclude re-encryption: 
http://www.emsisoft.com/en/software/eek/

Only do not select the option delete files in quarantine, so that experts can see the result later.

Share this post


Link to post
Share on other sites

use decrypter for GetCrypt, it worked on me some files where damaged after decryption

it will search the key

https://www.emsisoft.com/decrypter/download/getcrypt

saved log:

Starting...

File: C:\Users\PRAS\Pictures\advertenties\50740892_1192581400909938_3054570493123231744_n.jpg.DOCM
Decrypted: C:\Users\PRAS\Pictures\advertenties\50740892_1192581400909938_3054570493123231744_n.jpg

File: C:\Users\PRAS\Pictures\advertenties\51019854_1192581337576611_1995716756642988032_n.jpg.DOCM
Decrypted: C:\Users\PRAS\Pictures\advertenties\51019854_1192581337576611_1995716756642988032_n.jpg

File: C:\Users\PRAS\Pictures\advertenties\51041771_1192581120909966_3417074155336499200_n.jpg.DOCM
Decrypted: C:\Users\PRAS\Pictures\advertenties\51041771_1192581120909966_3417074155336499200_n.jpg

 

Finished!

 

Share this post


Link to post
Share on other sites
35 minutes ago, Pras said:

use decrypter for GetCrypt, it worked on me some files where damaged after decryption

it will search the key

https://www.emsisoft.com/decrypter/download/getcrypt

saved log:

Starting...

File: C:\Users\PRAS\Pictures\advertenties\50740892_1192581400909938_3054570493123231744_n.jpg.DOCM
Decrypted: C:\Users\PRAS\Pictures\advertenties\50740892_1192581400909938_3054570493123231744_n.jpg

File: C:\Users\PRAS\Pictures\advertenties\51019854_1192581337576611_1995716756642988032_n.jpg.DOCM
Decrypted: C:\Users\PRAS\Pictures\advertenties\51019854_1192581337576611_1995716756642988032_n.jpg

File: C:\Users\PRAS\Pictures\advertenties\51041771_1192581120909966_3417074155336499200_n.jpg.DOCM
Decrypted: C:\Users\PRAS\Pictures\advertenties\51041771_1192581120909966_3417074155336499200_n.jpg

 

Finished!

 

This dude might be onto something. Is this something that could help?

Share this post


Link to post
Share on other sites
6 hours ago, Pras said:

use decrypter for GetCrypt, it worked on me some files where damaged after decryption

GetCrypt isn't GlobeImposter 2.0. The decrypter for GetCrypt will not decrypt files encrypted by GlobeImposter 2.0. You experienced file corruption due to this fact.

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

GetCrypt isn't GlobeImposter 2.0. The decrypter for GetCrypt will not decrypt files encrypted by GlobeImposter 2.0. You experienced file corruption due to this fact.

Only .mp3 and some .docx files are decrypted succesfully and works correctly. All the other extension data are corrupted and still cannot be opened after decryption

Share this post


Link to post
Share on other sites

He is almost correct. The only type of file that GetCrypt managed to decrypt (kind of) for me are mp3s. They work but there are skips within them every second. I can hear what they were but they're not the same as before. Please tell me this can help things along somehow?

Share this post


Link to post
Share on other sites

Mind sharing some of these encrypted MP3s that are supposedly "decrypted"? I have an idea as to what is going on, and it's not actually decryption...

Share this post


Link to post
Share on other sites

Yep, as I suspected. The files are corrupted.

What's going on is the MP3 format is likely a little bit tolerant of some data loss. GlobeImposter 2.0 does not encrypt the whole file, only like the first few MB I believe. If you were to simply remove the ".DOCM" extension from the file, you would get the exact same result.

GetCrypt Ransomware uses a random 4-character uppercase extension, so that's the only reason the decrypter is fooled into "accepting" your file pair. Due to the way I am breaking that ransomware, the tool also cannot actually verify whether the decryption was successful, it just has to blindly throw the crypto at the file.

Share this post


Link to post
Share on other sites

I opened a ticket in  Kaspersky support… after giving them all information and 4 different files of the encrypted & original files … they give me this response :

Our Malware analysts have informed us that the files have been encrypted by a modification of Trojan-Ransom.Win32.Purgen

Unfortunately, they cannot decrypt files encrypted by this malware variant presently.

 

We always suggest to keep a backup of those files (which you seem to have), as in the future, a tool might be released once the encryption algorithm is broken or even released by the criminals, as this has been the case sometimes.

 

Apologies for not being able to assist any further.

Share this post


Link to post
Share on other sites
6 hours ago, fekri600 said:

Trojan-Ransom.Win32.Purgen

This is GlobeImposter. Simply, analysts form KasperskyLab, who research of the samples, like to joke and give the unformal names. 

  • Like 1

Share this post


Link to post
Share on other sites
23 hours ago, fekri600 said:

Trojan-Ransom.Win32.Purgen

It's not abnormal for different companies to give different names to the same malware.

  • Like 1

Share this post


Link to post
Share on other sites

This is a special case. At first was Globe Ransomware, which in the first versions used the .purge extension and was first known as Purge Ransomware. Later the extension of the .globe began to be used and name Globe Ransomware, for which Kaspersky analysts used the word "Purga" - the full name of Trojan-Ransom.Win32.Purga. Word "purga" in Russian language - this is  snowstorm.

Then another group of extortionists launched a imitator for the Globe Ransomware, which the researchers called GlobeImposter. It was his analysts Kaspersky called 'Purgen' (from the name of a known laxative agent). 😄

The extortionists themselves did not use this name until recently. I have seen the word GlobeImposter-2 in notes only a few times.

Share this post


Link to post
Share on other sites
11 minutes ago, R.K said:

Those ransomware felons must be EXECUTED to DEATHS. ☠️

If you'd like to see the criminals prosecuted, then note that the more reports about this ransomware the authorities receive, the more reason they have to track them down. There's information about how to report ransomware incidents to law enforcement in a number of different countries at the following link:
https://www.nomoreransom.org/en/report-a-crime.html

Share this post


Link to post
Share on other sites
22 hours ago, R.K said:

What about use the ransomware felons' Bitcoin addresses & trails to track them down?

You can't track someone with Bitcoins. You can track Bitcoins moving to and from wallets, and if someone sells Bitcoins through a service that would be willing to provide information to police upon request then that can be tracked as well, however Bitcoin was originally designed to be anonymous and thus lacks any means to determine who owns/controls a specific Bitcoin wallet. The creators hoped to make a decentralized currency that was impossible for government to regulate (and impossible to tax). Sadly whenever someone comes up with a way to help people maintain better privacy and security, criminals generally come along and abuse the technology for their own nefarious purposes.

As for other tracks or evidence, a lot of ransomware these days is being distributed by criminal organizations, which seem to be rather good at covering their tracks. Even some individuals who made ransomware on their own were good at keeping their real identities hidden, and have never been caught.

There's also the matter of jurisdiction. Ransomwares generally effects people in more than one country, and if the law enforcement in the country the criminals are based in doesn't care then nothing will happen to them. There are also a number of cases where a ransomware won't infect computers in the country its creators lived in, which more than likely reduces the likelihood of their law enforcement going after them.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.