Bright K

.DOCM ransomeware infected my laptop

Recommended Posts

All files on my pc all of a sudden just changed extension to .DOCM and cant be opened.

I under its a ransomware thing and the files have been encrypted by the malware.

Please help.

below is contend of the ransomfile


All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:

----------------------------------------------------------------------------------------

| 1. Download Tor browser - https://www.torproject.org/ and install it.

| 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/
               
| 3. Follow the instructions on this page 

----------------------------------------------------------------------------------------

Note! This link is available via "Tor Browser" only.

------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
------------------------------------------------------------

alternate address - http://helpinfh6vj47ift.onion/


DO NOT CHANGE DATA BELOW
###s6dlsnhtjwbhr###           36 17 A5 97 72 71 08 54 99 E1 30 F9 28 9D B0 DD
1E 95 7C 4B E1 9B 12 32 6B F3 48 D3 75 81 C9 98
87 9A B3 7F 4D C1 44 5E E6 BE D5 A8 65 88 C2 D3
BF 3F 1D 52 2D 92 E2 27 A8 33 96 DA 04 97 3E E0
09 56 F7 FC 47 6F 03 BF 79 C2 A4 7E 22 04 2C 6B
FC 55 79 7A 6B AD 30 1A 53 92 C0 82 5A E0 41 35
43 F8 73 F4 2E 77 3E C5 70 7C 20 8C 69 7B B5 D6
56 18 74 21 3F E1 CE E8 78 A3 CD 11 7D B3 B4 F1
49 38 37 80 19 C7 53 BA 3A 92 29 55 11 36 3F B2
90 FB 78 53 71 4B 6E 5F B4 58 34 94 93 39 1C 3E
55 62 FE 38 3C 62 8D AE 4B 06 29 4B 1C 94 F0 A6
F0 41 5B 4B BD 7F AE 69 7F E3 D6 99 B1 56 1C 60
2C 86 1B BC 4F 29 DF 70 96 48 45 42 D5 25 73 68
25 C4 73 25 CB 12 34 AA D1 3B BE 49 B6 63 F4 27
C1 AB 9F 9C CA 2A 5E 19 AD BA 1D AE 87 B3 9B 5F
47 19 DC 08 42 23 9A 63 33 18 D1 4B 6E A1 81 04
###             

Share this post


Link to post
Share on other sites

To identify this Ransomware you can use the service ID Ransomware.
He will give you a link to the support topic on the BleepingComputer forum.

This may be GlobeImposter-2 Ransomware, but it may be different. Now there are imitators for him. But, unfortunately, there are no free ways to decrypt files after GlobeImposter-2.

Share this post


Link to post
Share on other sites

Imitators can also fool the service iD Ransomware, so regardless of the results that you get on the site ID Ransomware, do the following... 

I need to see the original ransom note html-file. Please archive it without a password and attach it to your message. Do not attach it to the message without the archive, otherwise the file will be changed.

Also place in another archive and attach several encrypted files to the message (jpg, png, doc, txt).

If their size is larger than the allowed attachment, then upload this archive to www.sendspace.com and give us a link to download.

Share this post


Link to post
Share on other sites

To archive (aka. ZIP) a file, simply right-click on it, go to Send to, and select Compressed (zipped) folder. Alternately you can use 7-Zip, WinRar, WinZip, or any other archive manager you prefer. We can open most popular archive formats (7z, RAR, ZIP, etc).

Share this post


Link to post
Share on other sites

Two days ago, same things happened to me. I folow their instructions and end up negotiating about amount of money for decrypting. 400$ is huge amount in Bosnia and bigest trouble is locked pictures of my daughter 😞. What do you suggest to do? Thankful in advance.

Share this post


Link to post
Share on other sites

@MitarX

To identify this Ransomware you can use the service ID Ransomware.
He will give you a link to the support topic on the BleepingComputer forum.

This may be GlobeImposter-2 Ransomware, but it may be different. Now there are imitators for him. But, unfortunately, there are no free ways to decrypt files after GlobeImposter-2.

I need to see the original ransom note html-file. Please archive it without a password and attach it to your message. Do not attach it to the message without the archive, otherwise the file will be changed.

If the ransom note file is in the TXT-format, you can simply attach it to the message without archiving.

Also place in another archive and attach several encrypted files to the message (jpg, png, doc, txt).

If their size is larger than the allowed attachment, then upload this archive to www.sendspace.com and give us a link to download.

Share this post


Link to post
Share on other sites

DCOM ransomware attacked my wife's laptop. Content of Desktop/Documents/Pictures/Music folders was all infected. Each folder has its own ransomfile in text format.

Please help me recover the documents and pictures files.

I tried the ID Ransomware by uploading one of the infected or encrypted files and the result is GlobeImposter-2 Ransomware.

Share this post


Link to post
Share on other sites
2 hours ago, MitarX said:

What do you suggest to do?

If it's GlobeImposter 2.0, then free decryption may not be possible, however I also do not recommend contacting the criminals yourself or paying them yourself. If you absolutely feel you have to pay to get your files back, then have a third-party that has experience negotiating with such criminals contact them for you. There are a few companies that are up-front about the fact that they do this, however CoveWare is the only one I can remember off the top of my head.

Share this post


Link to post
Share on other sites
1 hour ago, perry65 said:

Please help me recover the documents and pictures files.

Please see the reply I posted for MitarX, as the same will apply for anyone with files encrypted by GlobeImposter 2.0.

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

If it's GlobeImposter 2.0, then free decryption may not be possible, however I also do not recommend contacting the criminals yourself or paying them yourself. If you absolutely feel you have to pay to get your files back, then have a third-party that has experience negotiating with such criminals contact them for you. There are a few companies that are up-front about the fact that they do this, however CoveWare is the only one I can remember off the top of my head.

Thanks for the advice.

Share this post


Link to post
Share on other sites
On 6/8/2019 at 12:24 AM, MitarX said:

Two days ago, same things happened to me. I folow their instructions and end up negotiating about amount of money for decrypting. 400$ is huge amount in Bosnia and bigest trouble is locked pictures of my daughter 😞. What do you suggest to do? Thankful in advance.

can you share that software with me i need it tooo i have same problem 

Share this post


Link to post
Share on other sites
On 6/8/2019 at 12:30 AM, Amigo-A said:

@MitarX

To identify this Ransomware you can use the service ID Ransomware.
He will give you a link to the support topic on the BleepingComputer forum.

This may be GlobeImposter-2 Ransomware, but it may be different. Now there are imitators for him. But, unfortunately, there are no free ways to decrypt files after GlobeImposter-2.

I need to see the original ransom note html-file. Please archive it without a password and attach it to your message. Do not attach it to the message without the archive, otherwise the file will be changed.

If the ransom note file is in the TXT-format, you can simply attach it to the message without archiving.

Also place in another archive and attach several encrypted files to the message (jpg, png, doc, txt).

If their size is larger than the allowed attachment, then upload this archive to www.sendspace.com and give us a link to download. DCOM ransomware attack on my pc today :(

 

Restore-My-Files.txt 0a8f03d6-ee7d-467a-82c9-cf09a2ff140d.JPG.DOCM 92Y58PIC5NZ (1).jpg.DOCM 92Y58PIC5NZ.jpg.DOCM 44161760_732319223773497_4271328861154705408_n.jpg.DOCM 44389101_10156935510951694_4108470259705446400_n.jpg.DOCM 49596106_743108476074464_8214559458261467136_n.jpg.DOCM download (1).jpg.DOCM download.jpg.DOCM

Share this post


Link to post
Share on other sites
4 hours ago, khan1 said:

can you share that software with me i need it tooo i have same problem

If you feel that you have to pay to get your files back, then I recommend having a third-party with experience negotiating with criminals like this contact them for you. There are a number of companies that are honest about the fact that they do this, however CoveWare is the only one I can remember off the top of my head.

Share this post


Link to post
Share on other sites

khan1

This is what is in the updates in my article GlobeImposter Ransomware
I found several similar variants  here and in another forum. 
Also victims sent me samples. Test results: VT + VMR

Perhaps they will help decryption specialists figure out something.

Update June 3, 2019:
Extension: .DOCM
R/n: Restore-My-Files.txt
Email: [email protected]

Tor URL: 
xxxx://decrmbgpvh6kvmti.onion/
xxxx://helpinfh6vj47ift.onion/

Text on alternative site:
If you want to buy a decryptor
send e-mail to [email protected]

There is no free way and no free file decryption tool. Alas.

Share this post


Link to post
Share on other sites

Hi

I have the same problem and didn't a get understanding of what is the way to solve this issue?

Thanks 

Share this post


Link to post
Share on other sites
21 hours ago, Skyp said:

I have the same problem and didn't a get understanding of what is the way to solve this issue?

There is no free way and no free file decryption tool. Alas.

  • Upvote 1

Share this post


Link to post
Share on other sites
23 hours ago, Skyp said:

I have the same problem and didn't a get understanding of what is the way to solve this issue?

That's because there's currently no way of decrypting your files without paying the ransom, which of course no one recommends doing.

Note that it is also highly recommended that you never try to contact the criminals yourself. Use a third-party to negotiate with the criminals for you if needed, but never try to do it yourself. There are a few companies out there that can do this for you, however the only one I can remember is CoveWare.

Share this post


Link to post
Share on other sites
12 hours ago, GT500 said:

That's because there's currently no way of decrypting your files without paying the ransom, which of course no one recommends doing.

Note that it is also highly recommended that you never try to contact the criminals yourself. Use a third-party to negotiate with the criminals for you if needed, but never try to do it yourself. There are a few companies out there that can do this for you, however the only one I can remember is CoveWare.

Thanks

Share this post


Link to post
Share on other sites
18 hours ago, Amigo-A said:

There is no free way and no free file decryption tool. Alas.

OK, thanks. What is not a free way? Except contact with ransom

Share this post


Link to post
Share on other sites

Yes, there is only paid, which provide extortionists. But extortioners cannot be trusted, they can hide with money, they can make a mistake and provide a broken decryptor, or their server can be turned off. There are too many probabilities that the money will be wasted.

Share this post


Link to post
Share on other sites
9 hours ago, Skyp said:

What is not a free way?

Due to the fact that no one has been able to come up with a way of decrypting files in a reasonable amount of time without having access to the database of private keys, and since the criminals are keeping the private keys securely stored on their servers and no one else has access to them that means no one can make a free decryption tool.

Share this post


Link to post
Share on other sites
17 hours ago, GT500 said:

Due to the fact that no one has been able to come up with a way of decrypting files in a reasonable amount of time without having access to the database of private keys, and since the criminals are keeping the private keys securely stored on their servers and no one else has access to them that means no one can make a free decryption tool.

Strange ... I do not deny the fact that any work should be paid and would be willing to pay reasonable money, not such as blackmailer extort , especially since there are no guarantees, so I would ready pay money for the working method of decrypting files back. I initially did not say that I am looking for freebies

Share this post


Link to post
Share on other sites
On 6/23/2019 at 1:46 PM, Skyp said:

I would ready pay money for the working method of decrypting files back.

All of our decrypters are free. We don't have paid ransomware recovery services. If there was a way to decrypt the files in a reasonable amount of time, then we'd release a decrypter for free, that way everyone could benefit from it.

Share this post


Link to post
Share on other sites

Hi,

If there is any progress in fighting with  this ransom, will be some reporte here?

Maybe I could help somehow? I have a few files of infected and clean recovered from the mail.

Unfortunately not simply txt, in format pdf, xlsx and docx, aslo several in jpg

Share this post


Link to post
Share on other sites
1 hour ago, Skyp said:

will be some reporte here?

For several years, while extortionists use GlobeImposter Ransomware to attack and extort money, we have seen many different options, thousands of users have suffered from it. If we count all this, then even theoretically, with all our desire and energy, it is impossible to inform everyone that their files can be decrypted. But when will this happen? Later 1-2-3 or more years? We do not know... and no one knows.

Share this post


Link to post
Share on other sites
6 minutes ago, Amigo-A said:

For several years, while extortionists use GlobeImposter Ransomware to attack and extort money, we have seen many different options, thousands of users have suffered from it. If we count all this, then even theoretically, with all our desire and energy, it is impossible to inform everyone that their files can be decrypted. But when will this happen? Later 1-2-3 or more years? We do not know... and no one knows.

I meant, where I can be in touch about  the general updates of software?

Share this post


Link to post
Share on other sites

Hi all. A friend of mine got infected with the docm ransomware a while ago. In an attempt to help him out, I spent a few days reverse engineering it. I have a decent understanding of how it works now. Usually, when a decryptor is published for a particular kind of ransomware, it's because someone found a flaw in the design of the cryptography, and made a tool that exploits it in order to recover the files without knowing the actual key. Unfortunately, the authors of docm have not made errors bad enough so that this is possible. Thus, only they have the ability to recover your files. That said, some ransomware developers have published their private key in the past. It's a pretty rare thing to happen, so I wouldn't rely on it, but it happens sometimes.

Sorry that I can't give you any better news. But at least now you can weigh it in when deciding on whether or not you should pay.

By the way, the authors have been giving discounts to people: I found a conversation online between someone and the authors, negotiating about the price, and the person receives an offer for $400. You can see for yourself if you take the Restore-My-Files.txt found here, and submit it to their tor website.

Untitled.jpg

Share this post


Link to post
Share on other sites


Yes, we know that there are several sentences from those who can (or just says it can) decrypt:
- these are extortionists themselves, sometimes they can lower the price;
- their former accomplices who left the main group;
- their former developers who want to get money;
- businessmen in collusion, bought decryptor and keys;
- Some firms, hidden intermediaries of extortionists;
- just scammers who decided to steal two pieces of cake;
- and others which I would not trust the bicycle's for guarde.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.