jx34tech

Unable to decrypt files

Recommended Posts

Hey Folks,

Some years ago a family computer of mine was encrypted with a ransomware program, Unfortunately due to human error, the backup was never made properly, however a backup of all the encrypted files was made in the hopes that in the future they may be able to be decrypted, I have tried indentifying this ransomware online, but it seems that none points in a really solid direction, I have tried to use several decryptor programs but to no avail, I can't seem to find a matching set of unencrypted and encrypted files, the encrypted copy always seems to be ever so slightly bigger than the original, I am happy to submit a variety of sample encrypted, unencrypted and ransom notes.

The variant uses the .crypt extension, with the bitcoin address: 1JA2f7F1JE3faUzavH89iDiZxtZqV1bB82, there is also a .pt domain tracking link at the bottom of the page as well.

Share this post


Link to post
Share on other sites

According to ID Ransomware that's Globe 3, which we have a decrypter for:
https://www.bleepingcomputer.com/news/security/emsisoft-releases-a-decryptor-for-version-3-of-the-globe-ransomware/

Note that the identification is based on the bitcoin address. You didn't supply enough information for a more accurate identification than that (ideally I'd need a copy of the ransom note and an encrypted file), and it is technically possible for more than one ransomware to share the same bitcoin address (such as if they are distributed by the same criminals).

If you haven't already, you can run it by ID Ransomware yourself and see what it says:
https://id-ransomware.malwarehunterteam.com/

You can paste a link to the results into a reply if you would like for me to review them.

Share this post


Link to post
Share on other sites

Hi Arthur,

Thanks for the reply, I have downloaded and attempted to use the Globe3 Decryptor, but it seems that the encrypted file is slightly bigger than an example original file, for example, one of the encrypted files is a install exe for a popular piece of software, when downloading that version and comparing it to the encrypted copy of the same file, it appears to be slightly smaller than the encrypted copy, I have checked this with other files in the directory and it seems that this is correct for every file that I can check in the directory, It is possible that their are trailing bytes at the end of the file for example, I have attached a screenshot demonstrating this.

2020-09-26 19_53_46-Sneaking Into Twitchcon while BANNED (ft. The Misfits) - YouTube.png
Download Image

Share this post


Link to post
Share on other sites
18 hours ago, jx34tech said:

Thanks for the reply, I have downloaded and attempted to use the Globe3 Decryptor, but it seems that the encrypted file is slightly bigger than an example original file, for example, one of the encrypted files is a install exe for a popular piece of software, when downloading that version and comparing it to the encrypted copy of the same file, it appears to be slightly smaller than the encrypted copy, I have checked this with other files in the directory and it seems that this is correct for every file that I can check in the directory, It is possible that their are trailing bytes at the end of the file for example, I have attached a screenshot demonstrating this.

It's normal for there to be a file size difference between original files and encrypted files.

Share this post


Link to post
Share on other sites
3 hours ago, GT500 said:

It's normal for there to be a file size difference between original files and encrypted files.

I understand that 100% but it seems that as a result of this file size the Decryptor doesn't appear to work for my set of files, Even though they should be exact copies of each other, is there a private way that I can DM you to demonstrate this occurring perhaps?

Share this post


Link to post
Share on other sites
21 hours ago, jx34tech said:

I understand that 100% but it seems that as a result of this file size the Decryptor doesn't appear to work for my set of files, Even though they should be exact copies of each other, is there a private way that I can DM you to demonstrate this occurring perhaps?

Then it's probably GlobeImposter 2.0 or something like that.

Did you check with ID Ransomware? If it's GlobeImposter 2.0 then it should identify it accurately.

Share this post


Link to post
Share on other sites
7 minutes ago, GT500 said:

Then it's probably GlobeImposter 2.0 or something like that.

Did you check with ID Ransomware? If it's GlobeImposter 2.0 then it should identify it accurately.

I have ran it through the ID website many times and it identifies it as Globe3, because of the email present in the ransomnote: [email protected] I have also looked up the bitcoin address and it seems people have ID'ed it also as Globe3, but I just can't seem to get a positive decryption happening, no matter what I try?

Is it possible that there may be some erroneous bits at the end of the file that could be causing it to be a slightly different size?

Share this post


Link to post
Share on other sites
4 minutes ago, jx34tech said:

I have ran it through the ID website many times and it identifies it as Globe3...

If that's the case, then why is it that when I look up your IP address on ID Ransomware, it shows a result for GlobeImposter 2.0? I'm fairly certain that none of the variants of Globe have been in distribution for years, however I know that GlobeImposter 2.0 is still in distribution.

Could you attach a few encrypted files and a copy of the ransom note to a reply for me?

Share this post


Link to post
Share on other sites
5 minutes ago, GT500 said:

If that's the case, then why is it that when I look up your IP address on ID Ransomware, it shows a result for GlobeImposter 2.0? I'm fairly certain that none of the variants of Globe have been in distribution for years, however I know that GlobeImposter 2.0 is still in distribution.

Could you attach a few encrypted files and a copy of the ransom note to a reply for me?

Please refer to the screenshot that I have provided as well of the ID by the software, for context this group of files was encrypted probably sometime in 2016-ish, it's been quite a many years since it has actually been encrypted, I've just been re-told to have a look into the files and try to decrypt them again, but I have attached a few test files and their unencrypted counterparts

2020-09-28 14_47_13-ID Ransomware.png
Download Image

FacebookVideoCallSetup_v1.2.205.0.exe FacebookVideoCallSetup_v1.2.205.0.exe.crypt how_to_recover_files.html IMG_0461a.jpg.crypt IMG_0462a.jpg.crypt IMG_0463a.jpg.crypt

Share this post


Link to post
Share on other sites

Hello

This result with your files - 

https://id-ransomware.malwarehunterteam.com/identify.php?case=d9266107bde4003efe5528480b72460b0bd119ea

To achieve the right result need upload a ransom note and a encrypted file. 

IMG_0462a.jpg.crypt + how_to_recover_files.html = GlobeImposter 2.0 Ransomware

The email-address can be used in various ransomware. Actors move from one project to another.
But ID is very specific for GlobeImposter and is determined mostly without problems.

  • Thanks 1

Share this post


Link to post
Share on other sites
40 minutes ago, Amigo-A said:

Hello

This result with your files - 

https://id-ransomware.malwarehunterteam.com/identify.php?case=d9266107bde4003efe5528480b72460b0bd119ea

To achieve the right result need upload a ransom note and a encrypted file. 

IMG_0462a.jpg.crypt + how_to_recover_files.html = GlobeImposter 2.0 Ransomware

The email-address can be used in various ransomware. Actors move from one project to another.
But ID is very specific for GlobeImposter and is determined mostly without problems.

Thankyou for looking into this and getting the right result, I was very confused, because I could find it being called a bunch of other things around the web, I guess I will just keep the files safe and hope that the keys get released in the future, out of interest, what do you think the chance of the actors actually being reachable and getting a decryption key by paying at this point? Because I can check the bitcoin wallet quoted and it hasn't been touched since about 2017?

Share this post


Link to post
Share on other sites

We can only hope with you that the keys will be published in the future.

There are now many modifications, NextGens and spin-offs, and there are imitators that fake the look, elements, and even IDs, that GlobeImposter originally had.

Share this post


Link to post
Share on other sites
20 hours ago, jx34tech said:

... what do you think the chance of the actors actually being reachable and getting a decryption key by paying at this point?

As long as the e-mail address and payment sites used by the criminals are still online, then I would believe the odds are fairly good that the criminals will send you a working decrypter if you pay the ransom. Coveware reports that there's a 99% chance of successful decryption for those who pay the ransom.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.