sonar_avalon

Infected servers - probably GlobeImposter 2.0

Recommended Posts

 Last Thursday our network was hit by what ID ransomware has flagged as GlobeImposter 2.0. Essentially almost all of our Virtual Machines are now encrypted and will not load into Hyper-V on our two main controlling servers. We have managed to retrieve some data from 3 Virtuals, but nothing from either of the main servers. We have gone through the companies that say they can restore, but the feed range anywhere from 5-40K US Dollars. They also appear to be working hand in hand with initial criminals in that they offer to "reduce" the ransom but also taking profit from it. The ransom letter demanded 3 BTC which is about 10-11K US Dollars right now. Everything I have read has told me there is no decryptor for this, but I still need to ask if anyone has any suggestions or any helpful insights to this. We are looking at a pretty severe loss of intellectual property, and as a small business (3 people), this could very well put us out of business. I have included the files created by both the Farbar tool and the EEK tool, along with the original ransom note that was found on the server.  

Any help anyone can provide would be very greatly appreciated.

Addition.txt

FRST.txt

scan_190129-074556.txt

how_to_back_files.html

Share this post


Link to post
Share on other sites

I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

That's almost certainly GlobeImposter 2.0 then. Unfortunately there's no known way to decrypt files that have been encrypted by GlobeImposter 2.0 without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites

Yup. Have come to that conclusion myself. I have some feelers out there with Ex-Military security folks I know to get their opinions also. If they can help or come up with anything of value I will be sure to update the community and let you know as well. Thx for the time.

Share this post


Link to post
Share on other sites

Unless they can find a way into the Command and Control servers used by the ransomware and liberate the database of keys, then I doubt there's much they could do. More than likely law enforcement agencies are already working with computer security companies to do that, and if there's a way into those servers they'll find it eventually.

Share this post


Link to post
Share on other sites

I advise you not to pay a cent, they will blackmail you. We had the same issue, thanks God we had a backup, minor damage, and we did not pay a cent. Did you know how did they get into your servers , is it by RDP BruteForce ?

Share this post


Link to post
Share on other sites

If the servers were infected via RDP, then here's some steps for getting started dealing with it:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

GT500,

 

Thanks for all the intel on this one. Our security is going to beefed up considerably once we get over the hump here. I have files that are currently decrypting because our insurance paid a portion of the ransom. I am unsure if this is a global fix (yet), but it seems it might be. I am current working through 4 machines with a fifth to start later today. When those are complete I can upload what was sent to me at a secure site of your choosing. 

Share this post


Link to post
Share on other sites
7 hours ago, sonar_avalon said:

When those are complete I can upload what was sent to me at a secure site of your choosing. 

If the files are small enough (I think the attachment limit may be 100 MB) then you can send me a private message here and attach the files to the message. Otherwise feel free to use any file sharing service you like, and bundle the files in an encrypted archive (ZIP, RAR, and 7z are all fine), then send me the password and download link in a private message.

Note: Don't upload anything you want to keep confidential to VirusTotal. Anyone willing to pay the fees can download from them.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.