Operation Global III ransomware not only encrypts, but infects your data as well

file submitted as requested - original file is a .png (fb logo) 11049 bytes long. let me know if you want me to submit the original as well.

regarding decrypt exes, here are some ideas for script writer(i had a thinned down version myself doing only a few of points listed below):

- search disk for exe modified at the day infected (possibly with certain time restriction as well);

- check the file name pattern; (all .???.exe are encrypted files)

- these would be non-exe, as all encrypted .exe simply remains ".exe" instead of ".exe.exe";

- for these files, invoke them from the script and terminate process after say 60seconds;

- for ".exe" files, check the icon with pattern recon looking for the small "lock";

- remember where those .exes are and write to output.

this should in theory decrypt all non-executables like jpg zip etc, and generate a list of .exe for you to manually run (some of which would be potentially damaging thus its better to leave this for hand)

It's still continuing to infect files for me....even new files that I have created on the desktop since the patch?  How do I stop that?

Hi,

Has anyone actually been able to remove this virus? I have applied the AUS fix and the 'lock out' is now removed. I can double click on most files and they will decrypt BUT the virus is still there, it is still encrypting files and there seems no way to stop it.

Any help is bery much appreciated.

Thanks

Steve

Edited by sjouk, 25 March 2015 - 04:20 AM.

I dont have much time these days, or even now sadly. So its hard to test, but I'm quite positive that hit man pro alert will remove the remaining infection, and also remove the service that is encrypting new files (its a love os, google it for instructions). But you may want yo make sure u use my patcher to decrypt all files u need first because once the infection is gone, u cant use it.

Thanks for the help. I  will give this a go but, as you say I need to decrypt all files first so it may be a while before I can report back.

Hey, looking for some help with an infected computer. Similar to another post, I have ran the patch, and get the message  "the infection exe could not be found".  The infection is a Canadian one; it is on a windows 7 64 machine.  The infection even comes up in safe mode.  I have a Linux and window 8 partition on the machine that are not affected, and can access all of the files on the infected partition; could this be any help?  Just looking to recover some of the encrypted files and wipe the machine; is there any good way to that with a decryption tool?

upload a infected file and post the link. If it actually is a operation global variant then decryption may be possible.

I am sorry i am new at this; i uploaded a file with the 'Submit a Malware Sample' but i don't know how to link it here.

Hi, just wondering if the file worked? Or if there was anything else needed.

Ok.. same as other are saying, one of my client got hit with the Canadian version of this crapware.. I manage to suppress the ransomware, so it won't start, but have not wipe it out either.  

But the decrypter saying the ransomware is not running. so I can't decrypte the file

I have upload a copy to the malware sample submission form.  Is there other thing I needed to do to send this file so I could get someone to help me with the decryption?

Name of the file is call VeMoMccQ.backup.exe (I have added the work backup to it so I could save a copy without wiping it)

Please help.. 

Edited by mrfssd, 10 April 2015 - 02:35 AM.

I just got this virus on one of my computers. I tried the patcher supplied in this thread, but it said it was unable to find the infection exe. I used the 'Submit Malware' page to upload a screen shot and an infected file sample. Hopefully someone is able to help me. I am ok with reinstalling my OS, I would just like to get some of the files back first. thanks in advance for any help.

EDIT: I have found the actual infection executables. Would it help if I uploaded them as well?

Edited by bobsfriend, 11 April 2015 - 08:50 PM.

Des anyone know if the source code for the operation global III patcher is available somewhere? If I can't get a modified patcher to fix the version of the virus that I have, thenI can try modifying it myself.

can someone please upload a infected file and pm me the link again? Sorry its been so long, its been nuts. I'll try and get the patched out, and if not post the source