[Taku]

Ok, I'm back up (partially). Still got a lot to do but wanted to get on here and see what was up.
Sounds like them ♥♥♥♥♥♥♥s decided to get on my Discord...hopefully resetting my password will keep them out. I just hope I won't have to get a new account or anything. Will resetting password be enough?

YAY! And. . . sorry about that. I was afraid it would be GlobeImposter 2. It's been going around it seems.

As for your password? Probably. Depending on the way you configure your passwords.
My Discord PW goes something like:
DSCO-)*^xxxxxxxx)*&x(&*xxxxxxxxxxxxxxxxxxxxxxxxx-xxxxx[xxxxxxxxxxxxxxxxx
where x=something, for example. And it matches absolutely none of my other passwords. I have a vault. A big, third-party vault.

[deuZige]

Ehm, as far as I'm aware the globeimposter 2 variant is pretty well known and near-complete decryption should be doable with a little effort. It's a variant of the origional Globeimposter with, as far as i can tell, little real changes. The encryption isn't total, and probably only a few mb's of each file actually is encrypted. So if there's large files involved, they should be recoverable for the most part.

Have a look through some of the result here:
(https://duckduckgo.com/?q=GlobeImpos...=v295-3&ia=web)

I'd hold off on the full system wipe and look into it a bit before throwing in the towel. Regardless of that you do have to assume that everything you had access to that wasn't protected by 2-factor authentication (and possibly even some that did) is now in the hands of the script kidz that infected you.

So the very first focus should be to make a list of every account you use, their method of authentication and then (from a liveboot machine) go to each one of them, try to access and if successful download everything you can, and close those accounts, and after you've got everything you could assess the damage.

You also should keep the infected system off the net (period, no exceptions or excuses) recover everything you can (decrypt it perhaps) and then do a thorough wipe regardless of anything. I'm talking about writing the storage with 1's and then writing 0's (every single bit, even if its empty) before finally repartitioning and using the storage again.

Only then should you consider connecting that machine back to anything that resembles a network.

If you're looking for the cleanest and safe procedure to follow after the recovery process I would advise deleting every single account you've ever accessed from that machine. Not just changing passwords, and or email addresses, not just switching on 2fa, none of that.

DELETE IT ALL!

The email addresses used in those accounts should also be considered a liability from now on, and also be deleted.

They only need one overlooked file or something they were able to hide a backdoor in/under/on and you're right back where you started, or even worse: motivating them to keep you as an active target for a while because you're a bit more challenging than a computer illiterate.

Create new accounts for everything you NEED access to but do not use email adresses, naming or protection that's similar to the old ones and if possible use 2fa at all times.

I know i sound overreacting but trust me i have been in your shoes myself and i can tell you they can hide trigger script or code in a document, music file, video file or even in a simple cookie.

If like you mentioned the machine infected didn't contain financial or other things that you need for survival or income or whatever, especially if its only mp3's, avi's and the like, It's not worth the risk, destroy it!

Keep in mind that EVERYTHING you did before you got infected is now a potential source of re-infection. you cannot use that ever again, without risking a repeat.

Best of luck my friend, I do not envy you. But I found having to go through that process is in a way therapeutic. It also forces you to realize how much you accumulate across the net in the sense of no longer used accounts, and information/data that is useless, obsolete but not deleted and removed.

Good luck!

[jdcollins]

Ehm, as far as I'm aware the globeimposter 2 variant is pretty well known and near-complete decryption should be doable with a little effort. It's a variant of the origional Globeimposter with, as far as i can tell, little real changes. The encryption isn't total, and probably only a few mb's of each file actually is encrypted. So if there's large files involved, they should be recoverable for the most part.

Have a look through some of the result here:
(https://duckduckgo.com/?q=GlobeImpos...=v295-3&ia=web)

I'd hold off on the full system wipe and look into it a bit before throwing in the towel. Regardless of that you do have to assume that everything you had access to that wasn't protected by 2-factor authentication (and possibly even some that did) is now in the hands of the script kidz that infected you.

So the very first focus should be to make a list of every account you use, their method of authentication and then (from a liveboot machine) go to each one of them, try to access and if successful download everything you can, and close those accounts, and after you've got everything you could assess the damage.

You also should keep the infected system off the net (period, no exceptions or excuses) recover everything you can (decrypt it perhaps) and then do a thorough wipe regardless of anything. I'm talking about writing the storage with 1's and then writing 0's (every single bit, even if its empty) before finally repartitioning and using the storage again.

Only then should you consider connecting that machine back to anything that resembles a network.

If you're looking for the cleanest and safe procedure to follow after the recovery process I would advise deleting every single account you've ever accessed from that machine. Not just changing passwords, and or email addresses, not just switching on 2fa, none of that.

DELETE IT ALL!

The email addresses used in those accounts should also be considered a liability from now on, and also be deleted.

They only need one overlooked file or something they were able to hide a backdoor in/under/on and you're right back where you started, or even worse: motivating them to keep you as an active target for a while because you're a bit more challenging than a computer illiterate.

Create new accounts for everything you NEED access to but do not use email adresses, naming or protection that's similar to the old ones and if possible use 2fa at all times.

I know i sound overreacting but trust me i have been in your shoes myself and i can tell you they can hide trigger script or code in a document, music file, video file or even in a simple cookie.

If like you mentioned the machine infected didn't contain financial or other things that you need for survival or income or whatever, especially if its only mp3's, avi's and the like, It's not worth the risk, destroy it!

Keep in mind that EVERYTHING you did before you got infected is now a potential source of re-infection. you cannot use that ever again, without risking a repeat.

Best of luck my friend, I do not envy you. But I found having to go through that process is in a way therapeutic. It also forces you to realize how much you accumulate across the net in the sense of no longer used accounts, and information/data that is useless, obsolete but not deleted and removed.

Good luck!

I've already formatted all my drives and re-installed my OS.

So, you're saying that even though I formatted all of the drives during OS re-install that something could be left behind?

I changed my e-mail passwords on my phone and away from home so as not to be linked to my home's wireless connection.
Even changed password to Face Book.
I've also been redoing log in and passwords to sites that involve purchases and I have no plans to link my new bank card (which I got early Saturday) to any site. Also ensured that no sites or passwords are being saved by my browser.
I'm thinking about trying the Bit Locker that comes with windows. Anyone have any experience with it?

I also just looked at link, I did not see the file format they used on me. It was a .xls and when opened was usually a full page of code.

[deuZige]

Regarding formatting drives and re-installing:
The Globeimposter is usually working from a rootkit entry point. Ie. the infection itself is located somewhere the operating system does not have access to or is unable to see. Tracks, cylinders or blocks on the harddrive that for example ntfs and windows do not or cannot read or write.

Secondly when you format a drive, you do not format a drive. You merely remove the index in which the location of your data is registered. Then a new one is created, empty, after which only newly stored data is written and its location recorded in that index. As long as nothing new is written at any location, whatever was written on that location is still there. It's just not known that it is there and what it is that's there.

Tools and methods can easily recover that data and reconstitute is into its origional form (toold like recuva do this).
This can ofcourse be used malisciously by storing the malware code on an obscure rarely used drive location, keeping index of where the malware code is written seperate from the drive's and then after a format, and often even during the installation of the os, this malware code is reconstituted by the rootkit based malware having the drives or at least the system back infected before the OS is done installing.

As far as using old accounts by simply resetting the password....

You need to keep in mind that where ever they've had access to, they could have placed hidden things that could be of use to them at a later date.
They could have recorded all the email adresses you use for account recovery and password reset purposes and found one of those to be based on a system that has a vulnerability they can exploit to gain access or to have BCC's sent somewhere they have access to. Every account not protected by a very good 2 factor authentication (ie. google authenticate or similar app) is a potential threat to your whole online existence. Even 2fa using sms's or using mail verification is a potential way in, depending on the resourses the hackers have to imploy more advanced techniques.An sms sent to one phonenumber can relatively easily trigger a duplicate to be sent to another (even spoofed maybe) destination.

Passwords as a method of securing account access, sadly, is simply no longer safe, and not usable to secure an account anymore. The simple 2fa (a message, code or link sent to a phone or email adress) is also no longer reliable. The code generating apps like google authenticator or microsoft's one are the lowest account security measure safe anough to be kept after being completely ripped a new one like you've been. You said yourself, they managed to buy stuff in your name. That is (or should be) hard to do, even for good blackhatters.

- - - Updated - - -

And now i'm going to sleep, for realsies this time.

[Mack]

Setup 2FA. Even your amazon account can be defended by 2FA Google Authenticator apps. When on Amazon visit your account > Login & Security settings.

Especially setup 2FA on portals/apps where you have your credit cards / corporate credit cards / debit cards / prepaid cards details put in. Most apps/portals come with this feature, it's just a matter of taking the time to go to your account settings and discovering them.

About two or three years ago my steam was hacked and this is some sound advice I got from Laz and folks on TS. Since then I do this everywhere. Though most of my local banks also now have with pass + face lock feature as well - I practice this on every other app.

Even NVIDIA Geforce Experience app has recently put this in.

[jdcollins]

Regarding formatting drives and re-installing:
The Globeimposter is usually working from a rootkit entry point. Ie. the infection itself is located somewhere the operating system does not have access to or is unable to see. Tracks, cylinders or blocks on the harddrive that for example ntfs and windows do not or cannot read or write.

Secondly when you format a drive, you do not format a drive. You merely remove the index in which the location of your data is registered. Then a new one is created, empty, after which only newly stored data is written and its location recorded in that index. As long as nothing new is written at any location, whatever was written on that location is still there. It's just not known that it is there and what it is that's there.

Tools and methods can easily recover that data and reconstitute is into its origional form (toold like recuva do this).
This can ofcourse be used malisciously by storing the malware code on an obscure rarely used drive location, keeping index of where the malware code is written seperate from the drive's and then after a format, and often even during the installation of the os, this malware code is reconstituted by the rootkit based malware having the drives or at least the system back infected before the OS is done installing.

As far as using old accounts by simply resetting the password....

You need to keep in mind that where ever they've had access to, they could have placed hidden things that could be of use to them at a later date.
They could have recorded all the email adresses you use for account recovery and password reset purposes and found one of those to be based on a system that has a vulnerability they can exploit to gain access or to have BCC's sent somewhere they have access to. Every account not protected by a very good 2 factor authentication (ie. google authenticate or similar app) is a potential threat to your whole online existence. Even 2fa using sms's or using mail verification is a potential way in, depending on the resourses the hackers have to imploy more advanced techniques.An sms sent to one phonenumber can relatively easily trigger a duplicate to be sent to another (even spoofed maybe) destination.

Passwords as a method of securing account access, sadly, is simply no longer safe, and not usable to secure an account anymore. The simple 2fa (a message, code or link sent to a phone or email adress) is also no longer reliable. The code generating apps like google authenticator or microsoft's one are the lowest account security measure safe anough to be kept after being completely ripped a new one like you've been. You said yourself, they managed to buy stuff in your name. That is (or should be) hard to do, even for good blackhatters.

- - - Updated - - -

And now i'm going to sleep, for realsies this time.

Well crap, sounds like the only thing I can do that will be reliable is trash all of my drives and buy new...is there anything that can completely wipe them?

[deuZige]

To quote one security firm analyzing malware samples:

The sample referred to as GlobeImposter 2.0 isn’t just a junk copycat of the prolific Globe ransomware, but it’s shaping up to be one of the prevalent and most dangerous file-encrypting malware strains in the wild.

GlobeImposter 2 has been identified as being a rootkit. If only for peace of mind I'd recommend at least wiping the drives. Here's a tool that will do the trick. Throwing the drives away is not needed though, I agree on that.


CBL Data Shredder comes in two forms: you can either boot from it via a disc or USB stick (like with DBAN) or use it from within Windows like a regular program.

To erase the hard drive that's running an operating system, you're required to boot to the program, whereas deleting another internal or external drive can be done with the Windows version.

Data Sanitization Methods: DoD 5220.22-M, Gutmann, RMCP DSX, Schneier, VSITR

In addition to the above, you can create your own custom method to include 1s, 0s, random data, or custom text with a custom number of passes.

The bootable version tells you how large each drive is but that's about the only identifiable information given, whereas the Windows version makes it easier to know what drive you're about to wipe clean.

The Windows version of CBL Data Shredder works with Windows XP through Windows 10.

Which you decide on is up to you. I've had the experience of malware returning after a complete format and fresh install of Windows 10 myself, which is why i'm extra cautious on this point.

Good luck!

[Three of Seven]

To quote one security firm analyzing malware samples

I DuckDuckGo'd the quote there, and it's from an article in 2017 - https://myspybot.com/globeimposter-2-0/

By this point, Laz is probably right, it's no longer fresh, it has probably be bought, and sold so many times!

[deuZige]

Hmz. thanks. didn't notice the date tbh. Thanks for being sharp there!

[deuZige]

Ok, i just went with the Malwarebytes assessment of it as a rootkit. I didn't do extensive research into this one. I got flashbacks to my traumatic experience with the Copy-Paste malware that infected my PC about one or two months ago which did survive removing the partitions from the drives, recreating partitions, formatting the partitions, and installing windows fresh from USB. I've always known Malwarebytes to be accurate and so i trusted their designation as a rootkit.

Apparently erroneous designation as a rootkit i know learned.

Glad i'm not using Windows anymore as my daily driver. I use Windows only for gaming and recreational browsing. Anything serious needs to be done? Linux.