PhrozeNChaos

Recent infection - GlobeImposter 2.0

Recommended Posts

New user here, hello everyone.

I was recently infected with a variant of GlobeImposter 2.0, which appends "[email protected]" on documents.

I do have backups and was trying to determine how this ransomeware works and after some sector scanning on my hard drive, I noticed a non-encrypted file in my "%systemroot%\Users\Public" folder. The file was created about an hour before the attackers ran the ransomware. Please also note the attackers used RDP to get into my PC. It does not appear to be a Win32 executable as I opened it read-only with a hex editor to inspect. I found that this file contains my encryption key in addition to other data within the hex editor.

Does anyone have any idea what this file is? Its 2kb in size as well. I have attached it to this message, not sure if the forum will let me.

 

 

C4D0FA878011A9B5952DFC0CD4C66EBA6BE88DDF030EAAEA064F0F332A544D0D

Read_For_Restore_File.zip

Share this post


Link to post
Share on other sites

Hello

Put the file Read_For_Restore_File.html in the archive with the password '123' and attach it to the new message.

The ransomware addresses were deleted in the previous one.

Share this post


Link to post
Share on other sites
On 8/29/2019 at 10:18 PM, PhrozeNChaos said:

Update: I realized the virus locked one of my archive drives which had no backups. :(

Yes, ransomware like this will search for files on any connected drive, and encrypt them. They also usually try to encrypt backups if they can access them. Due to this it is recommended to keep backups on removable media, and make sure to disconnect it from the computer when not in use.

Share this post


Link to post
Share on other sites

The file you are talking about may be a digital key with an ID.
The screenshot shows the correspondences - code from your file and from a ransom note.

Screenshot_1.jpg.62ebe4b9b3b7a00d4b8b9a7ad2a18aa6.jpg
Download Image

Share this post


Link to post
Share on other sites

That is exactly what I noticed when I edited the file using a hex editor. Hopefully there is some way to decryption using this "key". I have taken my archive drive offline in hopes of this.

Also, other people infected with this type of infection should probably look out for a similar file. Once again, I was infected through RDP which means the intruder was interactively in my PC and could of left items behind.

 

@GT500 Will keep note of that. Started burning very personal items to BD-R. Takes longer but better for archival.

Share this post


Link to post
Share on other sites
2 hours ago, PhrozeNChaos said:

Hopefully there is some way to decryption using this "key".

The type of encryption they use requires two keys. One used to encrypt files (the "public key"), and one used to decrypt files (the "private key"). The public key is aptly named, as it can safely be left where anyone can see it, and it can't reveal anything of use to decrypt data. The private key is usually kept secret on the command and control servers of the criminals.

Share this post


Link to post
Share on other sites

More than likely, yes. Normally if a ransomware leaves a decryption key behind, we would create a free decrypter that victims can use.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.