Globelmposter 2.0 TOR site is broken and victims can’t recover data

 

Recent victims of Globelmposter 2.0 found themselves grasping for a means to decrypt data after the TOR site in their ransomware notice was abandoned by its creators. In lieu of having backups, these victims have no path to decrypt their data or contact the hackers. Recent examples of the ransom notice left on encrypted machines appear below, and direct the user to a broken TOR site.

 

 Example of Globelmposter Ransom notice directing the victim to an abandoned TOR site

Example of Globelmposter Ransom notice directing the victim to an abandoned TOR site

 

Globelmposter TOR site more confusing than other ransomware TOR sites

The first oddity about the GlobeImposter TOR site is that the landing page does not sort the victims by the unique ID listed on their ransom notice. This function is mandatory in order to properly direct a victim’s payment to their unique ID and corresponding decryption tool.

 TOR Landing page for Globelmposter Ransomware

TOR Landing page for Globelmposter Ransomware

Other types of ransomware, such as GandCrab and Nozelesn, direct victims to a unique page as a first step.  GandCrab ransomware utilizes  the victims unique ransom.txt file to direct each victim to a unique page, while Nozelesn uses a unique ID (below image).

 

Nozelesn TOR Landing Page

 

Globelmposter TOR site appears functional, but does not work.

The site appears more robust than it actually is.  As is standard, the site offers free decryption of a single file. However, unlike GandCrab, the victim is not able to upload the file to the site. Instead they are directed to a support ticketing system. The ticketing system allows the user to upload a file and send a short message with their contact information. In both live cases and tests, this support function is not working. The tickets are submitted with confirms sent to the email address input.  You can even log back in to check the status of these tickets. The problem is no one replies. There is no indication that the support function is being monitored. The support function is not a live chat like GandCrab, rather an email based ticketing system powered by OsTicket.

 

Globelmposter support ticket site

Test Ransom Payments Resulted in Error Messages

When testing the actual ransom payment function and confirmation, errors where thrown when trying to confirm that a payment had been sent, further demonstrating that the site has been abandoned.

Response to Payment confirmation Link

 

Globelmposter email correspondence continues to work

Meanwhile, other Globelmposter ransomware attacks using email based correspondence continue to work. On these incidents, the data recovery rate continues to be very high. Unfortunately, the hacker correspondents via email are unable or unwilling to assist victims that have been directed to the TOR site.  

For the sake of GlobeImposters TOR site victims we hope that the Globelmposter developers will update their TOR site, or respond to their ticketing system so that victims without backups can attempt recovery.  Without a means to recover the data GlobeImposter encryptions are nothing more than data wipes.

 



*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at: https://www.coveware.com/blog/2018/12/6/abandoned-globelmposter-tor-site-leaves-ransomware-victims-without-options

Bill Siegel

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 25 posts and counting.See all posts by bill-siegel