GlobeImposter Ransomware (.Crypt, .PSCrypt, .FIX, .nCrypt) Support Topic

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button. Doing that will be helpful with analyzing and investigating by our crypto malware experts.

Thank you, I will go ahead and do that.

What indicators triggered for GlobeImposter? Was it just the ransom note filename? Could be a false-positive.

The note definitely looks new. Not pulling up anything by the BTC or email address on Google.

Could you find some encrypted files and their originals for comparison? I'm seeing not the whole file is encrypted, could be a clue. Also, more importantly, we really need the malware itself to analyze. You can zip them all together and submit to the same link.

What indicators triggered for GlobeImposter? Was it just the ransom note filename? Could be a false-positive.

 

The note definitely looks new. Not pulling up anything by the BTC or email address on Google.

 

Could you find some encrypted files and their originals for comparison? I'm seeing not the whole file is encrypted, could be a clue. Also, more importantly, we really need the malware itself to analyze. You can zip them all together and submit to the same link.

I'm guessing the file name for the ransom note triggered GlobeImposter, I think it is the same file name that they use. I have zipped up a couple of encrypted files and their unencrypted versions as well as the ransom note. Unfortunately, I don't have the malware. Before I knew what ransomware was, I immediately ran every anti-malware program to get rid of everything, which I now know I shouldn't have done. The only things they found were a "safesearch .ch hijacker" and a backdoor program called  "1.exe"

I will upload the zip file I created.  I have more encrypted/unencrypted twins I can upload as well if needed. 

Again, thank you for taking the time to help me out!

I'm also dealing with the .nCRYPT extension Ransomware.

The owner tried fixing it herself so the malware is gone, nothing left but lots of encrypted file. Amateurs .... {Grin}

Attempts to submit for identifying have failed, except as @RodneyHamp noted about GlobeImposter...

I'm submitting an encrypted Word docx as a sample. Any help, of course would be greatly appreciated.

I've been a lurker here for years, but have donated several times to the cause. :-)

Thx!

All the Best, PuterPro

Yeah, I'm one of those annoying amateurs who probably ended up screwing myself

All that does is make me angrier too.  Ugh.  I hate this helpless feeling!  At least I now know I am not the only one who has been hit with this.  Hopefully someone can get a decryption key. I never even knew this stuff existed before. I will be donating to the cause for sure.

If you hear of anything, please let me know!

Amateurs - LOL! Wasn't aimed at you, Rodney! ... ;-)

The people who own the machine told me nothing had been done to it.

So I get the machine and find they had run 3 different scanners and removed all evidence of the problem!

Well, except for hundreds of encrypted documents and spreadsheets that they had no backup for. Nice.

I, like you, am waiting with bated breath for those who know more than I on this stuff to weigh in.

I've been a Tech for 37 years in Computers (47 as an Electronics Tech), and I learned long ago that trying to know everything about computers is like trying to swallow the ocean. Good luck with that!

Hope someone throws us a life ring, LOL!

PuterPro

What is the actual name of the ransom note?

my ransom note is "how_to_back_files.html" which I think is why I got a false positive on GlobeImposter.

Amateurs - LOL! Wasn't aimed at you, Rodney! ... ;-)

 

The people who own the machine told me nothing had been done to it.

So I get the machine and find they had run 3 different scanners and removed all evidence of the problem!

Well, except for hundreds of encrypted documents and spreadsheets that they had no backup for. Nice.

 

I, like you, am waiting with bated breath for those who know more than I on this stuff to weigh in.

I've been a Tech for 37 years in Computers (47 as an Electronics Tech), and I learned long ago that trying to know everything about computers is like trying to swallow the ocean. Good luck with that!

 

Hope someone throws us a life ring, LOL!

PuterPro

hahaha thanks  I am a 35 year old teacher, I grew up in the 90s and was a whiz with windows 95 hahaha.  nowadays?  not so much!!

Rodney - HA! I feel ya.

I feel like I'm running through hip deep mud trying to keep up! Fast as I learn it it's changed.

I'm a general tech, so I know a little bit about a whole lot of things, every once in a while I have to plunge deep, like for this ransomware nonsense.

quietman - "What is the actual name of the ransom note?" - Mine was the same as Rodney's - how_to_back_file.html.

I resubmitted the files as a RAR, the unencrypted, an original of it, and the ransom note a little while ago,

Edited by PuterPro, 18 May 2017 - 10:44 AM.

This might actually be a new variant of GlobeImposter after all. Digging more into it.

Just got confirmation from xXToffeeXx that this is the new GlobeImposter. They've changed up the look of the ransom note. Afraid it is not decryptable. I've updated ID Ransomware to add the extra indicators.

Thanks SO much for the update, Sad news, but I expected it was so... Thanks again!!

PuterPro