[BreachExchange] GlobeImposter ransomware victims find themselves abandoned by their extortionists

Destry Winant destry at riskbasedsecurity.com
Wed Dec 12 07:47:30 EST 2018 

https://www.grahamcluley.com/globeimposter-ransomware-victims-find-themselves-abandoned-by-their-extortionists/

A wave of the GlobeImposter 2.0 ransomware infected the computers of
innocent internet users, and told them to visit a Tor website in order
to pay up and have their files decrypted.

Nothing so unusual in that, but as researchers at Coveware report,
these particular victims have been left in the lurch because the
masterminds behind the attack appear to have abandoned the recovery
website:

As is standard, the site offers free decryption of a single file.
However, unlike GandCrab, the victim is not able to upload the file to
the site. Instead they are directed to a support ticketing system. The
ticketing system allows the user to upload a file and send a short
message with their contact information. In both live cases and tests,
this support function is not working. The tickets are submitted with
confirms sent to the email address input. You can even log back in to
check the status of these tickets. The problem is no one replies.
There is no indication that the support function is being monitored.

So, if victims cannot trial the decryption service for free on one
file, will they have better luck if they simply pay the ransom?
Unfortunately, according to Coveware, they won’t.

When testing the actual ransom payment function and confirmation,
errors where thrown when trying to confirm that a payment had been
sent, further demonstrating that the site has been abandoned.

Other GlobeImposter ransomware attacks have provided email addresses
for victims to correspond with, and these reportedly have resulted in
users successfully making contact with their extortionists and getting
their files decrypted.

However, for whatever reason (it’s unclear if they are unwilling or
unable), those hackers who monitor those email addresses won’t be any
help to victims who were directed to the Tor site.

So, if you don’t have a secure backup of your data before it was
encrypted by the ransomware, you’re left clutching at straws that
someday the extortionists might update and fix their webpage.

Don’t wait until it’s too late to think about your backup regime.

Listen to this episode of the “Smashing Security” podcast to learn
more about backups.

More information about the BreachExchange mailing list