Jump to content

Decrypter for variation of GlobeImposter 2.0


Recommended Posts

  • 2 weeks later...
On 10/17/2018 at 11:50 AM, abond21 said:

Hi. Don't know where to upload files, please move elswhere if needed.

We've face a big ransomware attack, using, seems to be, GlobeImposter 2.0. Surely nothing did help, so had to pay the hackers. Got the decryptor from them Posting it here, in case it will help to move closer to universal decryptor... Archive contains the html message with ID, and the decryptor itself

Decoder.zip

How can I download this decoder?

Link to post
Share on other sites
5 hours ago, MilesGibson said:

How can I download this decoder?

You can't. It wouldn't work for you anyway.

If there was anything in that decrypter that could help someone other than the person who paid for it, then we would have used that information to make a free decrypter for everyone.

Link to post
Share on other sites

After a few months of getting my files encrypted, I tried their "free" decryption tool on a small file and it didn't work. The message was "Careerd5d7856a-3ManualSave.DOCM - this is not a crypted file! upload the crypted file."

 

Nice work, not recognizing their own encryption.

 

 
Link to post
Share on other sites
  • 4 weeks later...
4 hours ago, R.K said:

Are they international...? What kind are they...? They're delaying.

Those making and/or distributing ransomware are usually international criminals, so law enforcement agencies in multiple different nations usually have to cooperate with each other on investigation, as well as overcoming any jurisdictional issues they may encounter along the way. It can take many months, and in some cases years, to track down the criminals and actually arrest them. In some cases the criminals turn out to be in countries where the law enforcement simply doesn't care as long as the ransomware didn't effect any of their own citizens or local businesses, and they don't arrest the criminals even if their identities are known.

Link to post
Share on other sites
14 hours ago, GT500 said:

In some cases the criminals turn out to be in countries where the law enforcement simply doesn't care as long as the ransomware didn't effect any of their own citizens or local businesses, and they don't arrest the criminals even if their identities are known.

If they're careless and not real law enforcements, they must be fired.

Link to post
Share on other sites
9 hours ago, R.K said:

If they're careless and not real law enforcements, they must be fired.

International crimes can be difficult for law enforcement agencies. If someone commits a crime in one country, but lives in another, law enforcement in the country they live in usually has no legal reason to arrest and prosecute them. Law enforcement from the country the crime was committed in can't simply cross the border and arrest the criminal, as doing so would be illegal in the other country (it would more than likely be treated like kidnapping). If the country the crime was committed in has no treaty regarding the extradition of criminals with the country the criminals live in, then there's usually nothing they can do unless they can supply evidence that the criminals are also committing crimes in the country they live in.

Link to post
Share on other sites
  • 5 weeks later...

Has anyone seen ransomware that uses the .bajonx file extension? When i uploaded the ransom note and the two encrypted files, the ID said it was GlobeImposter 2.0. But I haven't read anything from anyone mentioning the file extension that I've been infected with. Any help, suggestions, anything, would be greatly appreciated. 

Link to post
Share on other sites
6 hours ago, Fett782 said:

Has anyone seen ransomware that uses the .bajonx file extension?

It looks like there may be 2 ransomwares using this extension right now, and GlobeImposter 2.0 does appear to be one of them. Do the encrypted files all have names that end in .[[email protected]].bajonx?

Link to post
Share on other sites

ID Ransomware is very accurate on determining between Maoloa vs .GlobeImposter 2.0 in most cases; they both have very unique ways of representing the victim's ID in the ransom note and in the encrypted file.

In several cases, however, victims have been uploading an encrypted file from GlobeImposter 2.0 with a ransom note from Maoloa, or vice versa; this means they were hit by both. This can confuse the results, and there's not much I can do about that.

On 1/20/2020 at 6:34 PM, Fett782 said:

Has anyone seen ransomware that uses the .bajonx file extension? When i uploaded the ransom note and the two encrypted files, the ID said it was GlobeImposter 2.0. But I haven't read anything from anyone mentioning the file extension that I've been infected with. Any help, suggestions, anything, would be greatly appreciated. 

Doesn't matter. Many ransomware (especially Maoloa and GlobeImposter 2.0) use dozens upon dozens of extensions; they are sold as a kit for criminals to distribute on their own, so they can specify whatever extension they want (among other things like the ransom note).

If you give us the URL after submitting the files to ID Ransomware, it gives us a hash we can use to lookup your files on the backend and confirm.

  • Thanks 1
Link to post
Share on other sites
  • 1 month later...

Hi,

I am a french user and I have been infected by GlobeImposter 2.

I have a pair of files, one is crypted and the other is not crypted (naturally it is exactly the same file)

Do you think it is possible to find a solution to decrypt the files ?

Regards.

Pierre

Link to post
Share on other sites
  • 2 weeks later...
49 minutes ago, R.K said:

not accessible, “Location is not available”, “The file or directory is corrupted and unreadable”

This could be filesystem corruption, or file permissions. Have you tried checking the disk for errors?

Link to post
Share on other sites
  • 2 weeks later...

We are dealing with the "[email protected]" ransomware and I found an odd file in the "public" user director that is timestamped at the same time the files were encrypted but it has no extension, only file name. I starts with a string of alphanumeric characters strung together then below has a block of alpha numeric characters formatted in a pattern of 16 rows of 2 characters by 16 columns of characters.
Is it possible that the encryption tool was designed to leave the decryption key in a random, extension-less file on the encrypted drive?

Link to post
Share on other sites
16 hours ago, DeathToSmoochie said:

Is it possible that the encryption tool was designed to leave the decryption key in a random, extension-less file on the encrypted drive?

I've already replied to your private message, but I'll go ahead and answer here as well in case anyone else reads this.

From the e-mail address this appears to be GlobeImposter 2.0, which doesn't leave private keys (required for decryption) on infected computers. It's possible that it may be a public key (used for encryption), however this isn't helpful in figuring out a way to decrypt files.

Link to post
Share on other sites
  • 2 months later...
6 hours ago, SPAAAAACE said:

Question: Will this thread be updated, if this particular ransomware got a decryptor?

More than likely not. There are too many threads about this ransomware to keep track of, or to be able to reply to all of them.

Our recommendation is to keep an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters:
https://www.bleepingcomputer.com/

If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news:
https://www.bleepingcomputer.com/feed/

  • Like 1
Link to post
Share on other sites
  • 2 months later...

We were attacked by what appears to be a variant of Globelmposter but we are not sure. The files are encrypted and all have a .CñÑ extension on them. Is there somewhere that I can send these files to understand the encryption that was used to see if there is an available decryptor for this format. Is this something that Emisisoft could assist with, or if not do they need the file for further investigation?

Link to post
Share on other sites
9 hours ago, Jesse said:

Is there somewhere that I can send these files to understand the encryption that was used to see if there is an available decryptor for this format.

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

 

9 hours ago, Jesse said:

Is this something that Emisisoft could assist with, or if not do they need the file for further investigation?

I can give you any available information I have once the ransomware has been positively identified. If you're representing a business and need more in-depth support than I can provide, then we do have a paid ransomware consultation service (note that decryption is not guaranteed).

Link to post
Share on other sites
  • 2 months later...

a while ago my company fell victim to a ransomware. We had no choice but to pay the ransom. The hacker sent us the decoder but a large file, unfortunately the most important as it was a SQL base with a size of 10 gigabytes can not be decrypted. It sends a message that there is not enough RAM but we ran it on a computer with 16GB memory and nothing happened. The ending of the file is Globeimposter-Alpha865qqz but as far as I know it does not belong to the Globeimposter family but to maoloa. Does anyone have any idea how we can decrypt our file

Link to post
Share on other sites
9 hours ago, Black Mamba said:

a while ago my company fell victim to a ransomware. We had no choice but to pay the ransom. The hacker sent us the decoder but a large file, unfortunately the most important as it was a SQL base with a size of 10 gigabytes can not be decrypted. It sends a message that there is not enough RAM but we ran it on a computer with 16GB memory and nothing happened. The ending of the file is Globeimposter-Alpha865qqz but as far as I know it does not belong to the Globeimposter family but to maoloa. Does anyone have any idea how we can decrypt our file

If this is for a company then it would be best to inquire about our ransomware remediation service. Here on the forums we mostly just provide support for our free decrypters, and I'm pretty sure no one ever made free decrypters for those ransomwares.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...