Topic: Files ecnrypted with .globe exension requesting 1.5BTC to decrypt (Read 2627 times)

Few options for you :
1. Wait someone/group to make a tool which can decrypt that ransomware.
2. Check if people who got this ransomware got their file decrypted after they pay 1.5BTC in case your data really important to you and it's already encrypted.
3. Recover any data which isn't encrypted yet carefully.

care to share the links?

thanks

two days ago I read somewhere that one of the types of this ransomeware virus was broken and now they some kind of hack for it. in other words you can find the password that the encryption were done with because the code of the virus was hacked or something.

edit: read the sticky there: https://www.reddit.com/r/Ransomware/

I don't think that you can decrypt these files on your own unless you have the key. If you pay there is no guarantee either that criminals will decrypt your files. I hope you have the back up, this is the only free and safe solution.

my files are all *.xtbl now

even the readme that was pasted here in the first post now it's encrypted .... what the fuck s wrong with people this days?


is it possible to make a pool to decrypt the files with brute-force?

Not sure if it's any help, but googling for [email protected] (part of the filename you stated), turned up this result: http://support.emsisoft.com/topic/20227-help-my-server-is-infected-with-777-ransom/

apparently, those guys have a decryptor, in case your files are encrypted by the same ransomware:

Another result was this one:
http://www.bleepingcomputer.com/forums/t/624861/new-ransomware-legioner-seven/

Altough their outcome was a little more bleak:


Good luck!

This was written from memory, it might be inaccurate, but i think the easyest way of doing this is:

step 1 => insert the HD into a pc, DO NOT BOOT. Either have a portable HD of the same size as your infected disk or bigger at hand, or insert a second HD into the same pc. Make sure those second HD's are empty, or at least have enough free space for a full disk image!!!
step 2 => boot from a live cd/usb... Google unetbootin in case you don't know how to make one, make sure the usb is fat32
step 3 => search both disks (the infected one and the empty one), lsblk might help you, or maybe your live distro has some partitioning tools, fdisk -l is usefull to, the mount command can be used to find out what's mounted and where. Make sure the empty disk is mounted (usually, the linux distro will do this for you)
step 4 => from the terminal, do "dd if=/dev/infected_disk of=/mnt/mybackup.ddimg" (without quotes, double check the devices and mounts before executing)
step 5 => wait, wait, wait

In case you need to restore:  dd if=/mnt/mybackup.ddimg of=/dev/infected_disk

This way, you can restore the infected harddisk as many times as you want. All it'll cost you is a lot of time. In case the data is really valuable to you, you might want to copy mybackup.ddimg to a second harddrive, just in case the first one would ever fail/fall

Although I didn't do this operation for a few years now, I'd recommend Hiren's BootCD. http://www.hiren.info/pages/bootcd
The CD should have at least tools to clone a HDD (I used back then Norton Ghost), tools to recover files (recuva) and antivirus tools.

That PC is shut down and the HDD is shipped to me as we speak.

It will reach me in about 1 hour or something like that.

I didn't did any steps as I'm not the one who has to perform that operations!

I'm more concerned about the data on that HDD.

Can someone tell me what tools should I have ready when the HDD reaches me?

I can delay it for 30-45 minutes and not telling the person who should "save it" that it did arrive at me!

Thanks

if that so,i would prefer to pay if there's no way to recover it back just be sure not losing important data,and after that you can just move your important data to your backup disk and then format your old HDD and make it clean from any viruses or malwares,just paying to decrypt doesn't mean your device will be free from this virus,and no guarantee that your files will be decrypted either

STOP USING THAT OS! Clone the HDD!
Clear enough?

And with the right tool, especially since you know where the file was located and what was its name, you can recover it.
But please, ask for help, you obviously don't know enough to help yourself on this. You don't have anybody near you that you trust and can help you out?

You did shutdown your pc, removed the HD and cloned it, right? I'm asking just to be sure, because you didn't tell us which steps you already took, or what you're doing to your system right now...
Once you've did this, you can do whatever you want, wait untill everything is encrypted, try out different methods,.... Just make sure you have a clone of your disk with as minimal damage as possible!

OK,


A little update

It seems the files were in process of encrypting
because now all the files look like this

biletetrimitere_document.rpt.id-99XXX999.legioner_seven@aol.com.xtbl

where 99XXX999 is some sort of id ....

also the readme file has dissapeared .... now who the fuck should I contact?

but before running the tools it's also need making identification for the type of ransome before .


maybe using cryptolocker removal guide will be one way to be trying

https://www.youtube.com/watch?v=ob93o-IXWBI

Have you checked here? - https://www.nomoreransom.org/

it's possible you could get the keys for free but i've no idea how comprehensive it is.

Usually, they do send you the decryption key. Their business is built on this. If they wouldn't send you a key after payment, and you posted your story, their next victim would't consider paying.

I'd advice you to turn your PC off, remove the HD, make a copy from a live linux cd (using dd to copy the disk to a usb storage device, for example), then try to use some decryption tools and see if you can get your data back. IF you ever decide to pay, you can put the disk image back onto the original HD before running their tools.

PS: i would advice anybody to ignore payment demands, because these randsomeware creators will only keep on creating ransomeware as long as their victims pay. As soon as everybody stops paying these guys, they'll stop creating their sh*it. Offcourse it's still up to you, your data might indeed be worth a lot more than their randsome demand.

They are encrypted

At first I thought they were not encrypted .... but they are

Anyone paid to .globe ransomeware and got the files back?

I want to use this as a second option to what I have in mind. but first I need to know if someone got the decrypting software from this hackers.

This is what you call ransomware.
All your files get encrypted and u have to pay for the key to decrypt them.
Sometimes  they will give you the key after paying, it is just a guess, you can not be sure. If u had nothing really important or had a back up, don't pay.

They will surely not use escrow
And I'd say you should not send, but it's up to you. Next time learn to use backup.

setup.exe.globe is a file with changed extension, it may not be encrypted.


Get somebody that knows more about computers to take a look / help you out. Don't start anymore from your original OS and make a copy of everything, even in this state. Check your sensitive data to see what was actually encrypted and see if it worth to risk 1.5BTC for it, which may or may not bring your data back.

That is just a trapped if you sending your money for them i think they will never giving a decrypt key.

you have the same situation with this one.

https://forum.kaspersky.com/lofiversion/index.php/t110225.html

But from your extension is .globe i can't assume that a cryptolocker ransom.

but at first, you need to identification .globe is related into what a ransom.