Andre M

Decrypter for variation of GlobeImposter 2.0

Recommended Posts

13 hours ago, R.K said:

Why Globeimposter 2.0 is undecrypable…?

It uses a secure form of encryption.

Share this post


Link to post
Share on other sites
On 10/17/2018 at 11:50 AM, abond21 said:

Hi. Don't know where to upload files, please move elswhere if needed.

We've face a big ransomware attack, using, seems to be, GlobeImposter 2.0. Surely nothing did help, so had to pay the hackers. Got the decryptor from them Posting it here, in case it will help to move closer to universal decryptor... Archive contains the html message with ID, and the decryptor itself

Decoder.zip

How can I download this decoder?

Share this post


Link to post
Share on other sites
5 hours ago, MilesGibson said:

How can I download this decoder?

You can't. It wouldn't work for you anyway.

If there was anything in that decrypter that could help someone other than the person who paid for it, then we would have used that information to make a free decrypter for everyone.

Share this post


Link to post
Share on other sites

After a few months of getting my files encrypted, I tried their "free" decryption tool on a small file and it didn't work. The message was "Careerd5d7856a-3ManualSave.DOCM - this is not a crypted file! upload the crypted file."

 

Nice work, not recognizing their own encryption.

 

 

Share this post


Link to post
Share on other sites

It's possible the file is corrupt of damaged in some way that might prevent their free decryption from working.

Share this post


Link to post
Share on other sites
12 hours ago, CyrusKhan said:

please post the decrypter again, the link is dead.

It was never live. It wouldn't help you recover your files anyway.

Share this post


Link to post
Share on other sites
On 6/28/2019 at 5:54 PM, GT500 said:

They don't have any remorse about what they're doing, and they won't feel sorry for you.

Those cyber-terrorists never regret, they are so getting EXECUTED to DEATHS☠️.
I'm losing my patience.

Share this post


Link to post
Share on other sites
18 hours ago, R.K said:

I'm losing my patience.

Just be sure to keep your actions legal. There's no need to attract the attention of law enforcement while they're investigating the criminals. ;)

Share this post


Link to post
Share on other sites
On 12/10/2019 at 8:28 PM, GT500 said:

There's no need to attract the attention of law enforcement while they're investigating the criminals. ;)

Are they international...? What kind are they...? They're delaying.

Share this post


Link to post
Share on other sites
4 hours ago, R.K said:

Are they international...? What kind are they...? They're delaying.

Those making and/or distributing ransomware are usually international criminals, so law enforcement agencies in multiple different nations usually have to cooperate with each other on investigation, as well as overcoming any jurisdictional issues they may encounter along the way. It can take many months, and in some cases years, to track down the criminals and actually arrest them. In some cases the criminals turn out to be in countries where the law enforcement simply doesn't care as long as the ransomware didn't effect any of their own citizens or local businesses, and they don't arrest the criminals even if their identities are known.

Share this post


Link to post
Share on other sites
14 hours ago, GT500 said:

In some cases the criminals turn out to be in countries where the law enforcement simply doesn't care as long as the ransomware didn't effect any of their own citizens or local businesses, and they don't arrest the criminals even if their identities are known.

If they're careless and not real law enforcements, they must be fired.

Share this post


Link to post
Share on other sites
9 hours ago, R.K said:

If they're careless and not real law enforcements, they must be fired.

International crimes can be difficult for law enforcement agencies. If someone commits a crime in one country, but lives in another, law enforcement in the country they live in usually has no legal reason to arrest and prosecute them. Law enforcement from the country the crime was committed in can't simply cross the border and arrest the criminal, as doing so would be illegal in the other country (it would more than likely be treated like kidnapping). If the country the crime was committed in has no treaty regarding the extradition of criminals with the country the criminals live in, then there's usually nothing they can do unless they can supply evidence that the criminals are also committing crimes in the country they live in.

Share this post


Link to post
Share on other sites
On 12/20/2019 at 12:17 AM, R.K said:

What about use IP addresses to find those ransomware criminals?

They use VPN's, proxies, Tor, etc. to hide their real IP address and real location.

Share this post


Link to post
Share on other sites

Has anyone seen ransomware that uses the .bajonx file extension? When i uploaded the ransom note and the two encrypted files, the ID said it was GlobeImposter 2.0. But I haven't read anything from anyone mentioning the file extension that I've been infected with. Any help, suggestions, anything, would be greatly appreciated. 

Share this post


Link to post
Share on other sites
6 hours ago, Fett782 said:

Has anyone seen ransomware that uses the .bajonx file extension?

It looks like there may be 2 ransomwares using this extension right now, and GlobeImposter 2.0 does appear to be one of them. Do the encrypted files all have names that end in .[[email protected]].bajonx?

Share this post


Link to post
Share on other sites
17 hours ago, Fett782 said:

What is the other ransomware that is using this extension?

Maoloa, however I suspect that may be a false positive.

Share this post


Link to post
Share on other sites

ID Ransomware is very accurate on determining between Maoloa vs .GlobeImposter 2.0 in most cases; they both have very unique ways of representing the victim's ID in the ransom note and in the encrypted file.

In several cases, however, victims have been uploading an encrypted file from GlobeImposter 2.0 with a ransom note from Maoloa, or vice versa; this means they were hit by both. This can confuse the results, and there's not much I can do about that.

On 1/20/2020 at 6:34 PM, Fett782 said:

Has anyone seen ransomware that uses the .bajonx file extension? When i uploaded the ransom note and the two encrypted files, the ID said it was GlobeImposter 2.0. But I haven't read anything from anyone mentioning the file extension that I've been infected with. Any help, suggestions, anything, would be greatly appreciated. 

Doesn't matter. Many ransomware (especially Maoloa and GlobeImposter 2.0) use dozens upon dozens of extensions; they are sold as a kit for criminals to distribute on their own, so they can specify whatever extension they want (among other things like the ransom note).

If you give us the URL after submitting the files to ID Ransomware, it gives us a hash we can use to lookup your files on the backend and confirm.

  • Thanks 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.