Recent victims of Globelmposter 2.0 found themselves grasping for a means to decrypt data after the TOR site in their ransomware notice was abandoned by its creators. In lieu of having backups, these victims have no path to decrypt their data or contact the hackers. Recent examples of the ransom notice left on encrypted machines appear below, and direct the user to a broken TOR site.
Example of Globelmposter Ransom notice directing the victim to an abandoned TOR site
Globelmposter TOR site more confusing than other ransomware TOR sites
The first oddity about the GlobeImposter TOR site is that the landing page does not sort the victims by the unique ID listed on their ransom notice. This function is mandatory in order to properly direct a victim’s payment to their unique ID and corresponding decryption tool.
TOR Landing page for Globelmposter Ransomware
Other types of ransomware, such as GandCrab and Nozelesn, direct victims to a unique page as a first step. GandCrab ransomware utilizes the victims unique ransom.txt file to direct each victim to a unique page, while Nozelesn uses a unique ID (below image).
Globelmposter TOR site appears functional, but does not work.
The site appears more robust than it actually is. As is standard, the site offers free decryption of a single file. However, unlike GandCrab, the victim is not able to upload the file to the site. Instead they are directed to a support ticketing system. The ticketing system allows the user to upload a file and send a short message with their contact information. In both live cases and tests, this support function is not working. The tickets are submitted with confirms sent to the email address input. You can even log back in to check the status of these tickets. The problem is no one replies. There is no indication that the support function is being monitored. The support function is not a live chat like GandCrab, rather an email based ticketing system powered by OsTicket.
Test Ransom Payments Resulted in Error Messages
When testing the actual ransom payment function and confirmation, errors where thrown when trying to confirm that a payment had been sent, further demonstrating that the site has been abandoned.
Globelmposter email correspondence continues to work
Meanwhile, other Globelmposter ransomware attacks using email based correspondence continue to work. On these incidents, the data recovery rate continues to be very high. Unfortunately, the hacker correspondents via email are unable or unwilling to assist victims that have been directed to the TOR site.
For the sake of GlobeImposters TOR site victims we hope that the Globelmposter developers will update their TOR site, or respond to their ticketing system so that victims without backups can attempt recovery. Without a means to recover the data GlobeImposter encryptions are nothing more than data wipes.
*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at: https://www.coveware.com/blog/2018/12/6/abandoned-globelmposter-tor-site-leaves-ransomware-victims-without-options