Cyber Security Center

GLB ransomware removal


GLB ransomware is file-encrypting malware from the notorious Dharma ransomware family. The Dharma family has released many versions, and this one can be differentiated by the .GLB extension added to encrypted files. Drops a FILES ENCRYPTED.txt ransom note and shows a pop-up one.

 

Ransomware

GLB ransomware is part of the Dharma ransomware family, which is releasing ransomware versions left and right. It is responsible for ransomware like SUKA, Cvc, ZIN, World, SWP, Dex, and MUST. This version can be identified by the .GLB extension added to encrypted files. The malware targets personal files and encrypts them. Once files are encrypted, users will not be able to open them unless they first decrypt them. However, to obtain the decryptor victims would need to pay a ransom. This is explained in the pop-up ransom note, which appears once files are done being encrypted. The note does not mention how much the decryptor costs, only that users need to send an email to gonald58@cock.li to begin the process of obtaining a decryptor.

Whether victims pay the ransom or not is up to them. However, we feel it’s necessary to warn users that paying the ransom will not necessarily result in files being decrypted. The thing about ransomware is that the people behind them are cyber criminals, and there’s nothing really stopping them from simply taking the money and not keeping their end of the deal. This has, unfortunately, happened many times before so users need to be aware of the risks. It should also be mentioned that paying encourages cyber crooks to continue their malicious activities. As long as users continue paying the ransom, ransomware will continue to be an issue.

If users have backup, they can start file recovery as soon as they remove GLB ransomware. If the ransomware still remains on the computer when users access backup, backed up files may become encrypted as well.

If users don’t have backup, there aren’t many options left. Malware researchers are sometimes able to develop working decryptors for free. However, it’s not always possible. There is a free decryptor for Dharma ransomware on NoMoreRansom but it will not work on the newer releases, such as GLB ransomware. However, if a decryptor was to be released, it would appear on NoMoreRansom, so users should back up encrypted files and occasionally check NoMoreRansom. Users should also be careful of fake decryptors promising to decrypt files, as they likely would be malware.

What does the ransomware do?

As soon as the ransomware enters a computer, it will start encrypting files that users hold most important. That usually includes photos, videos, and documents. Files will be momentarily encrypted, and users will only notice when their files suddenly have .[gonald58@cock.li].GLB added to them. The added extension will also contain users’ unique IDs. For example, image.jpg would become image.jpg.unique ID.[gonald58@cock.li].GLB. Files with that extension will be unopenable.

The ransomware will show a pop-up ransom note, as well as drop a FILES ENCRYPTED.txt text one. The pop-up note contains slightly more information, and demands that users send an email to gonald58@cock.li to start the file recovery process. An alternative bank008800@cock.li email address is also given if users receive no answer within 12 hours.

Neither the pop-up nor the text ransom note mention the price for the decryptor, though it will likely be around a couple of thousand dollars. Whatever the sum may be, we do not recommend paying for reasons we have already mentioned above. That, unfortunately, leaves backup as the only way users can recover files.

Here is the text from the ransom note:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email gonald58@cock.li YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:bank008800@cock.li
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How does ransomware infect a computer

Ransomware usually infects computers of users who have bad browsing habits. Those bad habits include opening unsolicited email attachments, downloading unsafe torrents, not installing critical security updates, and interacting with ads when on high-risk websites.

Malspam is one of the most common reasons why users end infecting their computers with malware. Malspam is usually sent to users whose email addresses have either leaked or were part of a data breach. The emails will call for users to open the attached files, supposedly because they’re important documents that need to be reviewed immediately. If users do open the attachment, they would be initiating the malware. The good news is that malspam emails are usually very obvious. They are sent from random looking email addresses, contain loads of grammar and spelling mistakes, and threaten users with serious consequences if the attachment is not opened. So users should be able to identify malspam. However, it’s also a good idea to scan all email attachments with anti-virus software or VirusTotal before opening them.

Users should also avoid pirating if they want to not infect their computer with ransomware. Torrent sites are not regulated properly, which allows malicious actors to easily upload malware into torrents. Torrents for popular entertainment content are usually full of malware. It’s common for torrents for movies, TV shows, games, software, etc., to contain malware. The more popular content is, the more likely that a torrent for it will contain some kind of malware. Thus, users should avoid pirating, not only because it’s essentially stealing content but also because it’s dangerous for the computer.

GLB ransomware removal

It’s strongly recommended to use anti-virus software to remove GLB ransomware. If users try to delete GLB ransomware manually, they may end up causing more damage. As soon as the ransomware is no longer present, users can access backup to start recovering files.

GLB ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by AVG/Avast
  • Trojan.Ransom.Crysis.E by BitDefender
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom.Crysis by Symantec and Malwarebytes
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom-Dharma!BD3B686C6F9E by McAfee