GlobeImposter Ransomware (.Crypt, .PSCrypt, .FIX, .nCrypt) Support Topic

When or if a solution is found, that information will also be provided in this support topic and you will receive notification if subscribed to it.

You rock, thank you!

You're welcome.

Uploaded files, suspected globeimposter 2.0. Appreciate your assistance. 

What are the chances that this Globeimposter 2.0 (.keepcalm) will ever be decrypted?

 

My whole computer was infected and I will be keeping the hard drives offlline until I can locate a solution.

 

How can we get notified once the decrypter is available?

How can we help?

 

Thanks,

Troy

We have no way of knowing when or if a free decryption solution will be available.

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with and a variety of factors. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time.

Dr.Web statistics show that the probability of restoring files compromised by encryption ransomware doesn't exceed 10%. That means that most of user data has been lost for good!

Dr.Web: Encryption ransomware - Threat No. 1

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

I uploaded a file with .FIXI extension. Regarding ID Ransomware it is GlobeImposter 2.0. Isn´t it?

We have backup from the files, but we want to get known how the ransomware could be installed.

The .FIXI extension is one used by GlobeImposter 2.0 which will leave files (ransom notes) named how_to_back_files.html, HOW_OPEN_FILES.html, how_to_recover_files.html. The ransom note instructs victims to contact the cyber-criminals at "happydaayz@aol.com", "strongman@india.com", "keepcalmpls@india.com", "byd@india.com", "cryptohelpers@india.com" to get payment instructions.

Crypto malware and other forms of ransomware in particular are typically spread through some type of "user interaction"...opening a malicious email attachment, executing a malcious file, via web exploits, exploit kits, malvertising campaigns and drive-by downloads when visiting compromised web sites. RDP Bruteforce attacks against servers are also an increasing common malware vector by those involved with the development and spread of ransomware.

Section in this topic explains in more detail the most common methods Crypto malware (file encrypting ransomware) and other forms of ransomware is typically delivered and spread.

uninterrupted mode - you mean safe mode?

In this mide, you files was not encrypted?

You turn off networck before reboot first time?

Edited by tolliik, 23 June 2017 - 07:05 AM.

Вы с Украины, да?

Yes safe mode. (Sorry google translator) In a safe mode everything looks normal, what do you recommend to do?

tou files opening in safe mode?

very strange, becouse my files in safe mode are encrypted. with extension .pscrypt

if you files good, try to backup them.

Tan find some pc or notebook without important files, and copy some one files from encrypted pc. try to worck at this pc few day. if everesing good - you very lucky men.

 

PS. Sory for my english.

Спасибо, думаю мы свами говорим на одном языке.

)) Ну да.

 

Я правильно понял, что Вы перезагрузили компьютер утром, у Вас поменялось письмо с требованием денег (у меня назывется rahunok.html), после этого Вы загрузились в безопасном режиме и Ваши файлы открываются нормально?