Jake82

A Possible Fix for GlobeImposter 2.0?

Recommended Posts

Hey,

So I have a quick question:
If I were able to provide 2 identical files (1 that has been infected... and the exact same file, but decrypted), would it be possible to maybe come up with a program that can decrypt all files (maybe have a space on the program to input the "header variable" into it since it is likely different for everyone?)

Please let me know if this would be possible. If so, I will provide to reference files from my E-Sword program (the encrypted one and the decrypted one). I would love to get this finally fixable for everyone including myself (our ministry laptop is locked down which includes music and other media we were planning to release towards the end of Summer).

Hope to hear back from someone that can possibly use these files to figure it out (not sure if a "hex editor" would give a look into the differences as well in order to figure out decryption?)

Let me know and I will provide the files.

Share this post


Link to post
Share on other sites

There are many files, including pairs "encrypted+original", and many samples, but there is no single universal free public decryptor worked for all variants of GlobeImposter 2.0 Ransomware.

---

We know several the imitators of GlobeImposter, there are also the imitators of imitators of GlobeImposter, which do not even encrypt, but use the code and the ransom note of GlobeImposter. But for all of them there is not and there will not be a single solution. They differ and very much.

Share this post


Link to post
Share on other sites
14 hours ago, Jake82 said:

If I were able to provide 2 identical files (1 that has been infected... and the exact same file, but decrypted), would it be possible to maybe come up with a program that can decrypt all files

If this were possible, we'd release a free decrypter capable of doing it.

Share this post


Link to post
Share on other sites

I was able to save some of the executable files that they were using to encrypt the files with. If I were to provide those along with the text file AND a copy of both an encrypted and decrypted identical file: would that help you all to work out some kind of possible solution to their ransomware?

I apologize if I am getting on your nerves or coming off as annoying. I really just want to help, especially after finding out a Church, a Food Bank, and now a Ministry team have been hit with this. It is bad enough to force this crazy stuff onto any person, but hitting nonprofits, charities, and ministries is absolutely crazy. So I wanted to try and offer up any kind of help that I could be. 

Share this post


Link to post
Share on other sites

@Jake82

You upload separately malicious files to www.sendspace.com and a note with pairs of files "encrypted+original" and paste links here.
On the archive with malicious files put the password 'infected'. Others without a password. 

Share this post


Link to post
Share on other sites
21 hours ago, Jake82 said:

I was able to save some of the executable files that they were using to encrypt the files with. If I were to provide those along with the text file AND a copy of both an encrypted and decrypted identical file: would that help you all to work out some kind of possible solution to their ransomware?

Unfortunately it wouldn't. GlobeImposter 2.0 has been very thoroughly analyzed, and we already know how it encrypts files. We've even had a number of opportunities to take a look at the decrypters they send people who pay. There's currently no way to decrypt files without the private keys that the criminals keep on their command and control servers.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.