Files ecnrypted with .globe exension requesting 1.5BTC to decrypt

[serje]

Hello

So this seems to be another perfectly beautiful Monday morning!

I've woke up to this probolem.

All the files are encrypted like this setup.exe.globe

And have a readme file with this shit

Code:

Your files are encrypted!
Baш личный идeнтификaтop

deleted


Your documents, photos, databases, important data were encrypted.
Data recovery is required decipherer.
To get the interpreter should send an email to frogobigens@india.com. 
Next, you need to pay for the interpreter. In a response letter you will receive the address of Bitcoin-wallet to which you want        perform the transfer of funds in the amount of 1.5 Bitcoin .
If you have no Bitcoin
Create a wallet Bitcoin: https://blockchain.info/ru/wallet/new 
Get cryptocurrency Bitcoin: 
https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard, QIWI Visa Wallet и дp.) 
https://ru.bitcoin.it/wiki/Пpиoбpeтeниe_биткoйнoв (instruction for beginners) 
When the transfer is confirmed, you will get the decryption files for your computer.
After start-interpreter program, all your files will be restored.
Attention!
Do not attempt to remove the program or run the anti-virus tools 
Attempts to self-decrypting files will result in the loss of your data 
Decoders are not compatible with other users of your data, because each user's unique encryption key 

Anyone had this problem before?

Let's say my data is worth more than 1.5BTC ... should I pay? Will they send me the decrypt key? Will they use escrow?
I would really like to hear opinions from people who had this problem also and they paid the ransom.

[shinratensei_]

Hello

So this seems to be another perfectly beautiful Monday morning!

I've woke up to this probolem.

All the files are encrypted like this setup.exe.globe

And have a readme file with this shit

Code:

Your files are encrypted!
Baш личный идeнтификaтop

deleted


Your documents, photos, databases, important data were encrypted.
Data recovery is required decipherer.
To get the interpreter should send an email to frogobigens@india.com. 
Next, you need to pay for the interpreter. In a response letter you will receive the address of Bitcoin-wallet to which you want        perform the transfer of funds in the amount of 1.5 Bitcoin .
If you have no Bitcoin
Create a wallet Bitcoin: https://blockchain.info/ru/wallet/new 
Get cryptocurrency Bitcoin: 
https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard, QIWI Visa Wallet и дp.) 
https://ru.bitcoin.it/wiki/Пpиoбpeтeниe_биткoйнoв (instruction for beginners) 
When the transfer is confirmed, you will get the decryption files for your computer.
After start-interpreter program, all your files will be restored.
Attention!
Do not attempt to remove the program or run the anti-virus tools 
Attempts to self-decrypting files will result in the loss of your data 
Decoders are not compatible with other users of your data, because each user's unique encryption key 

Anyone had this problem before?

Let's say my data is worth more than 1.5BTC ... should I pay? Will they send me the decrypt key? Will they use escrow?
I would really like to hear opinions from people who had this problem also and they paid the ransom.

That is just a trapped if you sending your money for them i think they will never giving a decrypt key.

you have the same situation with this one.

https://forum.kaspersky.com/lofiversion/index.php/t110225.html

But from your extension is .globe i can't assume that a cryptolocker ransom.

but at first, you need to identification .globe is related into what a ransom.

[NeuroticFish]

They will surely not use escrow
And I'd say you should not send, but it's up to you. Next time learn to use backup.

setup.exe.globe is a file with changed extension, it may not be encrypted.


Get somebody that knows more about computers to take a look / help you out. Don't start anymore from your original OS and make a copy of everything, even in this state. Check your sensitive data to see what was actually encrypted and see if it worth to risk 1.5BTC for it, which may or may not bring your data back.

[FruitsBasket]

This is what you call ransomware.
All your files get encrypted and u have to pay for the key to decrypt them.
Sometimes  they will give you the key after paying, it is just a guess, you can not be sure. If u had nothing really important or had a back up, don't pay.

[serje]

They will surely not use escrow
And I'd say you should not send, but it's up to you. Next time learn to use backup.

setup.exe.globe is a file with changed extension, it may not be encrypted.


Get somebody that knows more about computers to take a look / help you out. Don't start anymore from your original OS and make a copy of everything, even in this state. Check your sensitive data to see what was actually encrypted and see if it worth to risk 1.5BTC for it, which may or may not bring your data back.

They are encrypted

At first I thought they were not encrypted .... but they are

Anyone paid to .globe ransomeware and got the files back?

I want to use this as a second option to what I have in mind. but first I need to know if someone got the decrypting software from this hackers.

[altcoinhosting]

Usually, they do send you the decryption key. Their business is built on this. If they wouldn't send you a key after payment, and you posted your story, their next victim would't consider paying.

I'd advice you to turn your PC off, remove the HD, make a copy from a live linux cd (using dd to copy the disk to a usb storage device, for example), then try to use some decryption tools and see if you can get your data back. IF you ever decide to pay, you can put the disk image back onto the original HD before running their tools.

PS: i would advice anybody to ignore payment demands, because these randsomeware creators will only keep on creating ransomeware as long as their victims pay. As soon as everybody stops paying these guys, they'll stop creating their sh*it. Offcourse it's still up to you, your data might indeed be worth a lot more than their randsome demand.

[gentlemand]

Have you checked here? - https://www.nomoreransom.org/

it's possible you could get the keys for free but i've no idea how comprehensive it is.

[shinratensei_]

I'd advice you to turn your PC off, remove the HD, make a copy from a live linux cd (using dd to copy the disk to a usb storage device, for example), then try to use some decryption tools and see if you can get your data back. IF you ever decide to pay, you can put the disk image back onto the original HD before running their tools.

but before running the tools it's also need making identification for the type of ransome before .


maybe using cryptolocker removal guide will be one way to be trying

https://www.youtube.com/watch?v=ob93o-IXWBI

[serje]

OK,


A little update

It seems the files were in process of encrypting
because now all the files look like this

biletetrimitere_document.rpt.id-99XXX999.legioner_seven@aol.com.xtbl

where 99XXX999 is some sort of id ....

also the readme file has dissapeared .... now who the fuck should I contact?

[altcoinhosting]

OK,


A little update

It seems the files were in process of encrypting
because now all the files look like this

biletetrimitere_document.rpt.id-99XXX999.legioner_seven@aol.com.xtbl

where 99XXX999 is some sort of id ....

also the readme file has dissapeared .... now who the fuck should I contact?

You did shutdown your pc, removed the HD and cloned it, right? I'm asking just to be sure, because you didn't tell us which steps you already took, or what you're doing to your system right now...
Once you've did this, you can do whatever you want, wait untill everything is encrypted, try out different methods,.... Just make sure you have a clone of your disk with as minimal damage as possible!

[NeuroticFish]

OK,


A little update

It seems the files were in process of encrypting
because now all the files look like this

biletetrimitere_document.rpt.id-99XXX999.legioner_seven@aol.com.xtbl

where 99XXX999 is some sort of id ....

also the readme file has dissapeared .... now who the fuck should I contact?

STOP USING THAT OS! Clone the HDD!
Clear enough?

And with the right tool, especially since you know where the file was located and what was its name, you can recover it.
But please, ask for help, you obviously don't know enough to help yourself on this. You don't have anybody near you that you trust and can help you out?

[X-ray]

Let's say my data is worth more than 1.5BTC

if that so,i would prefer to pay if there's no way to recover it back just be sure not losing important data,and after that you can just move your important data to your backup disk and then format your old HDD and make it clean from any viruses or malwares,just paying to decrypt doesn't mean your device will be free from this virus,and no guarantee that your files will be decrypted either

[serje]

OK,


A little update

It seems the files were in process of encrypting
because now all the files look like this

biletetrimitere_document.rpt.id-99XXX999.legioner_seven@aol.com.xtbl

where 99XXX999 is some sort of id ....

also the readme file has dissapeared .... now who the fuck should I contact?

STOP USING THAT OS! Clone the HDD!
Clear enough?

And with the right tool, especially since you know where the file was located and what was its name, you can recover it.
But please, ask for help, you obviously don't know enough to help yourself on this. You don't have anybody near you that you trust and can help you out?

That PC is shut down and the HDD is shipped to me as we speak.

It will reach me in about 1 hour or something like that.

I didn't did any steps as I'm not the one who has to perform that operations!

I'm more concerned about the data on that HDD.

Can someone tell me what tools should I have ready when the HDD reaches me?

I can delay it for 30-45 minutes and not telling the person who should "save it" that it did arrive at me!

Thanks

[NeuroticFish]

OK,


A little update

It seems the files were in process of encrypting
because now all the files look like this

biletetrimitere_document.rpt.id-99XXX999.legioner_seven@aol.com.xtbl

where 99XXX999 is some sort of id ....

also the readme file has dissapeared .... now who the fuck should I contact?

STOP USING THAT OS! Clone the HDD!
Clear enough?

And with the right tool, especially since you know where the file was located and what was its name, you can recover it.
But please, ask for help, you obviously don't know enough to help yourself on this. You don't have anybody near you that you trust and can help you out?

That PC is shut down and the HDD is shipped to me as we speak.

It will reach me in about 1 hour or something like that.

I didn't did any steps as I'm not the one who has to perform that operations!

I'm more concerned about the data on that HDD.

Can someone tell me what tools should I have ready when the HDD reaches me?

I can delay it for 30-45 minutes and not telling the person who should "save it" that it did arrive at me!

Thanks

Although I didn't do this operation for a few years now, I'd recommend Hiren's BootCD. http://www.hiren.info/pages/bootcd
The CD should have at least tools to clone a HDD (I used back then Norton Ghost), tools to recover files (recuva) and antivirus tools.

[altcoinhosting]

OK,


A little update

It seems the files were in process of encrypting
because now all the files look like this

biletetrimitere_document.rpt.id-99XXX999.legioner_seven@aol.com.xtbl

where 99XXX999 is some sort of id ....

also the readme file has dissapeared .... now who the fuck should I contact?

STOP USING THAT OS! Clone the HDD!
Clear enough?

And with the right tool, especially since you know where the file was located and what was its name, you can recover it.
But please, ask for help, you obviously don't know enough to help yourself on this. You don't have anybody near you that you trust and can help you out?

That PC is shut down and the HDD is shipped to me as we speak.

It will reach me in about 1 hour or something like that.

I didn't did any steps as I'm not the one who has to perform that operations!

I'm more concerned about the data on that HDD.

Can someone tell me what tools should I have ready when the HDD reaches me?

I can delay it for 30-45 minutes and not telling the person who should "save it" that it did arrive at me!

Thanks

This was written from memory, it might be inaccurate, but i think the easyest way of doing this is:

step 1 => insert the HD into a pc, DO NOT BOOT. Either have a portable HD of the same size as your infected disk or bigger at hand, or insert a second HD into the same pc. Make sure those second HD's are empty, or at least have enough free space for a full disk image!!!
step 2 => boot from a live cd/usb... Google unetbootin in case you don't know how to make one, make sure the usb is fat32
step 3 => search both disks (the infected one and the empty one), lsblk might help you, or maybe your live distro has some partitioning tools, fdisk -l is usefull to, the mount command can be used to find out what's mounted and where. Make sure the empty disk is mounted (usually, the linux distro will do this for you)
step 4 => from the terminal, do "dd if=/dev/infected_disk of=/mnt/mybackup.ddimg" (without quotes, double check the devices and mounts before executing)
step 5 => wait, wait, wait

In case you need to restore:  dd if=/mnt/mybackup.ddimg of=/dev/infected_disk

This way, you can restore the infected harddisk as many times as you want. All it'll cost you is a lot of time. In case the data is really valuable to you, you might want to copy mybackup.ddimg to a second harddrive, just in case the first one would ever fail/fall

[mocacinno]

Not sure if it's any help, but googling for legioner_seven@aol.com (part of the filename you stated), turned up this result: http://support.emsisoft.com/topic/20227-help-my-server-is-infected-with-777-ransom/

apparently, those guys have a decryptor, in case your files are encrypted by the same ransomware:

The 777 Decryption tool has been updated: https://decrypter.emsisoft.com/777

Another result was this one:
http://www.bleepingcomputer.com/forums/t/624861/new-ransomware-legioner-seven/

Altough their outcome was a little more bleak:

Unfortunately, at this time, there is no known way to decrypt files encrypted by CrySiS without paying the ransom.

Good luck!

[serje]

Not sure if it's any help, but googling for legioner_seven@aol.com (part of the filename you stated), turned up this result: http://support.emsisoft.com/topic/20227-help-my-server-is-infected-with-777-ransom/

apparently, those guys have a decryptor, in case your files are encrypted by the same ransomware:

The 777 Decryption tool has been updated: https://decrypter.emsisoft.com/777

Another result was this one:
http://www.bleepingcomputer.com/forums/t/624861/new-ransomware-legioner-seven/

Altough their outcome was a little more bleak:

Unfortunately, at this time, there is no known way to decrypt files encrypted by CrySiS without paying the ransom.

Good luck!

my files are all *.xtbl now

even the readme that was pasted here in the first post now it's encrypted .... what the fuck s wrong with people this days?


is it possible to make a pool to decrypt the files with brute-force?

[bitbunnny]

I don't think that you can decrypt these files on your own unless you have the key. If you pay there is no guarantee either that criminals will decrypt your files. I hope you have the back up, this is the only free and safe solution.

[Pursuer]

two days ago I read somewhere that one of the types of this ransomeware virus was broken and now they some kind of hack for it. in other words you can find the password that the encryption were done with because the code of the virus was hacked or something.

edit: read the sticky there: https://www.reddit.com/r/Ransomware/

[serje]

two days ago I read somewhere that one of the types of this ransomeware virus was broken and now they some kind of hack for it. in other words you can find the password that the encryption were done with because the code of the virus was hacked or something.

care to share the links?

thanks