Recommended Posts

All my files are encrypted as .DOCM . A .txt file in every folder as below:

All your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:

----------------------------------------------------------------------------------------

| 1. Download Tor browser - https://www.torproject.org/ and install it.

| 2. Open link in TOR browser - http://decrmbgpvh6kvmti.onion/
               
| 3. Follow the instructions on this page 

----------------------------------------------------------------------------------------

Note! This link is available via "Tor Browser" only.

------------------------------------------------------------
Free decryption as guarantee.
Before paying you can send us 1 file for free decryption.
------------------------------------------------------------

alternate address - http://helpinfh6vj47ift.onion/


DO NOT CHANGE DATA BELOW
###s6dlsnhtjwbhr###           72 CD C2 A7 7E 03 B0 D8 27 39 1E CB 00 4A A9 77
F3 CA B0 59 8F 77 26 6F 14 8B A5 B0 A0 ED 5C A9
17 2A 67 66 8E EB C8 CC 95 51 2A 3B AB 19 BB 6F
C3 D4 13 E3 90 F3 B4 2E 13 5E 4C 45 71 0D 79 F3
E4 65 11 71 6B 14 8D 0A 60 F5 EF 37 5F 7B 33 C8
A5 83 69 F7 3E 6D DD 3E 39 6E 55 7D 23 8B C2 A2
B4 FD 33 47 AD E2 17 C7 27 3A DC 20 EC CE E8 4B
45 5A EA CF 4C 76 56 6F B1 D9 B0 AB 4F FF D5 5A
72 85 60 92 48 B9 E1 83 29 2E C2 9B 55 2C 34 84
A3 6D 63 2C 60 17 21 5A F6 E7 4D D8 C4 DB 83 35
CC F0 DC C1 E3 4E 1B CF E4 94 F3 D6 10 A4 38 4E
4A 97 3A C6 AD BC 35 62 F1 79 E4 38 D2 5B 93 CE
FD 68 18 14 CD 79 08 47 C1 6E B1 B2 2E E3 25 5A
7B 57 4C 1D 38 88 27 51 44 49 92 25 B3 9E 37 97
3F 10 81 9B 69 86 CE 66 8A B0 F8 84 DF C8 47 2D
8B F9 B4 DE 90 3D 67 87 7D 7D EC 0D 05 A3 A3 91
###             

Share this post


Link to post
Share on other sites

Here, on the forum, there were already 5 topics with the same variant of GlobeImposter-2.

I posted links to samples uploaded to VirusTotal. But decrypt files after it will not work.

Share this post


Link to post
Share on other sites
2 hours ago, Tawhid72 said:

That looks accurate.

Note that ID Ransomware is correct when it says that there is no known way to decrypt files that have been encrypted by this ransomware.

Also note that you should not try to contact the criminals or negotiate with them yourself. If you feel it is absolutely necessary to try to negotiate with them, then I recommend having a third-party that is experienced in negotiating with such criminals do it for you. There are a number of companies that offer this service, however CoveWare is the only one I tend to remember.

Share this post


Link to post
Share on other sites

After such an operation, some files (PDF among them) may open if partial encryption was done there.

If you compare the original files with them, then you can find the differences. 

But among the many variants Ransomware we have seen cases:
- when files could partially open after such an operation;
- when files were not encrypted at all;
- when files were damaged due to encryption error.

Share this post


Link to post
Share on other sites

I was also hit however I DO have a few files that I have an encrypted copy and a safe copy if this helps anyone.

ALSO, I wanted to see if they would actually do what they say and decrypt a file. 

They did, but will ot negotiate their $800 to $1600 price in any way.

We need to stay on this and pool resources. We cant let these feckless pricks win!

Contact ANYONE you know that is in a Hacking/Cracking group and ask for help, or contact anyone who has a handle on encryption/decryption.

I will gladly donate files and time/money to beat these turds!!!

Feel free to contact me at '''email address removed to avoid spamming''' if yo have ideas.

Share this post


Link to post
Share on other sites

My computer was hacked with ransomware this year 2019. I had the same thing. Docm. My files look like a white paper. My story is long but I'll keep it short. I had people saying don't pay and people saying pay. I took my chance and paid I was not sure what would happen but they sent me the decryptor. I got my files back but some programs aren't running correctly. So I'll have to reinstall Windows. Don't know if the decryptor will work Universally on the Docm ransomware. The good thing is that I have my files. The bad part is that I'm out of $$$$$$. Also I had to pay them in bitcoin. That was crazy because I never had a bitcoin account before. I'm just glad the hacker was honorable and it turned out ok for me. And I was able to talk them down on the price a little.  Any questions just post. On my way to work have a great day. 

Share this post


Link to post
Share on other sites
8 hours ago, slappy said:

I was also hit however I DO have a few files that I have an encrypted copy and a safe copy if this helps anyone.

No, that won't help with this ransomware.

 

8 hours ago, slappy said:

ALSO, I wanted to see if they would actually do what they say and decrypt a file. 

They did, but will ot negotiate their $800 to $1600 price in any way.

Note that we highly recommend no one contact the criminals themselves. It's best to have a third-party which has experience negotiating with criminals like this do so for you. There are a few companies that offer this service, however CoveWare is the only one I tend to remember.

 

8 hours ago, slappy said:

We need to stay on this and pool resources. We cant let these feckless pricks win!

Contact ANYONE you know that is in a Hacking/Cracking group and ask for help, or contact anyone who has a handle on encryption/decryption.

If there's a way to beat them, then it will be done by ransomware analysts and law enforcement. More than likely what needs to be done is for security software companies to collaborate with law enforcement on gaining access to the servers used by the criminals so that they can liberate the database of keys, and thus make a decrypter. As for how long that will take, it depends on how well the criminals have secured their servers.

Keep in mind that this ransomware has been around for some time now (at least more than a year). A great many analysts have looked at this ransomware, and if there was something easy to exploit that would allow for decryption of files, then someone would have found it by now.

Share this post


Link to post
Share on other sites
3 hours ago, Maheshsk42 said:

I have requested them to decrypted one file and they done and sent me and attached here. (untitled-1.png, untitled-1.png.DOCM)

We highly recommend no one contact the criminals themselves. It's best to have a third-party which has experience negotiating with criminals like this do so for you. There are a few companies that offer this service, however CoveWare is the only one I tend to remember.

Share this post


Link to post
Share on other sites
2 hours ago, Damaxx said:

Don't know if the decryptor will work Universally on the Docm ransomware.

No, it won't. The GlobeImposter 2.0 ransomware generates new keys for every computer it infects. The private keys (the keys required for decryption) remain on their command and control servers, and when someone pays the ransom and they send them a decrypter it only comes with one private key.

If their decryption tool worked on more than one computer, we'd have figured out why, and made a free decrypter everyone could use.

Share this post


Link to post
Share on other sites

Thanks, but since no one has any better ideas and EVERYONE on this thread needs their files, I have a small fix...

Using a vpn and changing the route I have bee able to get several of my files decrypted by changing the Key on the "Restore my files" text and submitting it to them as a DIFFERENT victim.

I realize they are smart enough to create the ransomewear, however, they are naive enough to be fooled and hopefully this will help someone.

Yes, yes, "Don't contact, etc, etc."...But in lieu of any REAL help other than generic warnings this is a VIABLE work around if you need specific files urgently!

Sorry if this is not popular with Emsisoft Support, but we ALL need to do what we can to defeat this and not just sit back and wait!!

Share this post


Link to post
Share on other sites
On 6/27/2019 at 1:56 AM, Damaxx said:

My computer was hacked with ransomware this year 2019. I had the same thing. Docm. My files look like a white paper. My story is long but I'll keep it short. I had people saying don't pay and people saying pay. I took my chance and paid I was not sure what would happen but they sent me the decryptor. I got my files back but some programs aren't running correctly. So I'll have to reinstall Windows. Don't know if the decryptor will work Universally on the Docm ransomware. The good thing is that I have my files. The bad part is that I'm out of $$$$$$. Also I had to pay them in bitcoin. That was crazy because I never had a bitcoin account before. I'm just glad the hacker was honorable and it turned out ok for me. And I was able to talk them down on the price a little.  Any questions just post. On my way to work have a great day. 

Hi Damaxx, can you share the decryptor. Wanted try it will work for my files or not.....

  • Like 1

Share this post


Link to post
Share on other sites

If i have the original file and the encrypted file, Is it possible to get the decryption done with the help of ransom text file contents?

 

Share this post


Link to post
Share on other sites
34 minutes ago, Suresh said:

If i have the original file and the encrypted file, Is it possible to get the decryption done with the help of ransom text file contents?

 

No, as I am sure we all have those...read up and this question should be clear to you...

Share this post


Link to post
Share on other sites
11 hours ago, slappy said:

Using a vpn and changing the route I have bee able to get several of my files decrypted by changing the Key on the "Restore my files" text and submitting it to them as a DIFFERENT victim.

There are two problems with this approach:

  1. If you accidentally guess someone else's ID, then you may prevent them from getting back one or two files they desperately need.
  2. If the criminals figure out what you're doing, then they will probably send you something far worse than ransomware.

Keep in mind that it's possible they still have remote access to your computer, which will allow them to do anything they want on your computer (and potentially other computers on the local network). They could steal data, install a keylogger, log in to your accounts and reset passwords, or even destroy your data permanently.

Bottom line: Don't mess with the criminals. After all, they are criminals, and if they feel they have been cheated they will do whatever they think is necessary to ensure you never do it again.

Share this post


Link to post
Share on other sites
1 hour ago, GT500 said:

There are two problems with this approach:

  1. If you accidentally guess someone else's ID, then you may prevent them from getting back one or two files they desperately need.
  2. If the criminals figure out what you're doing, then they will probably send you something far worse than ransomware.

Keep in mind that it's possible they still have remote access to your computer, which will allow them to do anything they want on your computer (and potentially other computers on the local network). They could steal data, install a keylogger, log in to your accounts and reset passwords, or even destroy your data permanently.

Bottom line: Don't mess with the criminals. After all, they are criminals, and if they feel they have been cheated they will do whatever they think is necessary to ensure you never do it again.

You won't accidentally guess someone else encryption key, that is next to impossible if you actually look at the key and see the encryption. (1 in over 286 trillion I think are the exact odds)

Also, since every file I retrieve is first checked and opened on a virtual drive on another throw away laptop there is zero chance of re-infection.

They do not have access in any way to my laptop since I did a complete rebuild and personally don't open suspect files. I got the infection from an idiot who disabled my security while I let him use my laptop. He disabled it to try and install a program onto a thumb drive and the keygen was infected. He disabled it to get around the fact that it kept getting quarantined. I caught it once I restarted and once I saw the first few files popping up I shut off my internet access immediately and began killing processes.

Lastly, I have been able to dupe them into decrypting 26 files which happens to be the exact number of files that caught the encryption before I caught them. I win!

I'm not saying anyone else should attempt this as I happened to find a small loophole in their defenses and exploit it...you may not be so lucky. 

(But also, in lieu of any real help or support from ANYWHERE people may want to make up their own minds whether  this is an acceptable risk...I will help if anyone needs.)

Share this post


Link to post
Share on other sites
19 hours ago, slappy said:

They do not have access in any way to my laptop since I did a complete rebuild and personally don't open suspect files. I got the infection from an idiot who disabled my security while I let him use my laptop. He disabled it to try and install a program onto a thumb drive and the keygen was infected. He disabled it to get around the fact that it kept getting quarantined. I caught it once I restarted and once I saw the first few files popping up I shut off my internet access immediately and began killing processes.

GlobeImposter 2.0 infections are often installed by an attacker who brute forces an RDP account, so make sure you don't have the RDP port open in your firewall, and that there are no port forwarding rules for it in your router. The same applies to any remote access that requires port forwarding.

 

19 hours ago, slappy said:

I will help if anyone needs.

We don't recommend privately contacting anyone for assistance if you don't know them and they aren't a known ransomware expert.

 

19 hours ago, slappy said:

Lastly, I have been able to dupe them into decrypting 26 files which happens to be the exact number of files that caught the encryption before I caught them. I win!

And you posted about it on a public forum. One that the criminals who make GlobeImposter 2.0 know about, and are more than likely monitoring.

Share this post


Link to post
Share on other sites

Im the same, the ****ers destroyed over 10 years of photos and rare music. Disgusting, surely its a crime? I downloaded a legit program, no torrent so nothing illegal, how can this be allowed?

Edited by GT500
Slightly censored.

Share this post


Link to post
Share on other sites
13 hours ago, d3barr said:

Disgusting, surely its a crime? I downloaded a legit program, no torrent so nothing illegal, how can this be allowed?

It most certainly is a crime, however finding such criminals and bringing them to justice isn't always easy. Sometimes it takes many months (or even years) of work by law enforcement to figure out exactly who they are and what they've done.

If you would like to report this to your national law enforcement, then you can find links for many major law enforcement agencies at the link below:
https://www.nomoreransom.org/en/report-a-crime.html

Feel free to also report it to local law enforcement, however please note that their resources are more limited and they may not be able to collaborate in international investigations like national law enforcement agencies do.

Share this post


Link to post
Share on other sites
21 hours ago, d3barr said:

I downloaded a legit program, no torrent so nothing illegal, how can this be allowed?

Give us information about this program and the download address, we will check and determine what caused the malicious attack.

You can also write in PM, if it is confidential.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.