Decrypt and restore the .sea files (GlobeImposter ransomware)

Malware experts report that over the past few days, they have intercepted plenty of spam emails with JavaScript attachments that spread new version of GlobeImposter ransomware. This variant adds the .sea extension to all encrypted files to make victims notice that these files are encrypted.

A ransom note is also new, It is an HTML file called !your_files!.html. It is generated and dropped into each folder where the files are encrypted. The ransom note informs the target that his\her files are now encrypted and gives instructions on how to send the payment to unlock the files. While mass spamming the .sea variant of the GlobeImposter ransomware, and to mislead the victims, virus authors name their downloader as IMG_3716.js. Users believe it is a photo or another picture and click it. Once such IMG_3716.js is launched it downloads the actual ransomware executable from the website controlled by the criminal.

!your_files!.html ransom note
!your_files!.html ransom note

When the .sea variant of the GlobeImposter ransomware is encrypting your files, it prevents the Windows system from going into the sleep mode (in case you suddenly leave your PC unattended). Hackers are clever. To prevent the GlobeImposter ransomware from being studied by malware experts, most code lines are encrypted. They will be decrypted automatically and dynamically while running. GlobeImposter also creates a list of file extensions and folders that will not be encrypted. These include files belonging to Windows system, web browsers, antivirus software, etc. Overall 170 file extensions are not going to be encrypted. But your most precious documents like Word, Excel, PDF, TXT, video and image files will get locked for sure.

Encrypted files with .sea extension
Encrypted files with .sea extension

Moreover, before launching its encryption routine, the .sea file virus will kill all processes that have to do with MS Office or database files. Stopping all those processes will make them release the files that they are using, which in turn might result in encrypting more user files. As the .sea file virus (GlobeImposter) makes use of the strong RSA 2048 encryption mechanism to lock the files, it is extremely hard to decrypt them if you do not have the appropriate key. But paying for the key does not guarantee you to get your files back. Hackers cannot be trusted. You can try to restore files yourself using dedicated Windows features like Shadow Copy or 3rd party data recovery software.

GlobeImposter removal

By removing this ransomware, you can ascertain it will not do any further damage. The linked-to automated cleanup tool is capable of detecting malicious executables of all known crypto viruses and obliterating the entirety of their harmful components. One thing to keep in mind, though, is that the data left behind will stay inaccessible until the appropriate recovery measures are adopted.

1. Download and install .sea file virus remover. Run the suite and click Start Computer Scan.


2. As soon as the scan report is ready, make sure all the malicious entries on the list are selected and click Fix Threats to get the cleaning job done.

File recovery how-to’s

Now that you have taken care of the offending code proper, it’s high time you tried to restore the scrambled files. Regular data backups prior to the compromise pose the optimal means to reinstate the information. In this case, just use your backup service provider’s appropriate functionality to download the most recent copies of files. If the reserve storage is on a piece of external hardware, simply transfer the data back to your PC.

Unfortunately, some users don’t have a sound backup strategy that would make them resilient to such breaches. If you happen to be in that category, the dilemma is to either pay the ransom or take advantage of the best practices of forensic data restoration. The former modus operandi (ransom) should be your last resort, so try the routines below first.

a) Explore ‘shadows’
As enigmatic as it sounds, this is a completely down-to-earth method that might do the trick in some ransomware attack cases. The idea is to use snapshots of files made by the operating system during critical updates and the addition of new restore points. The applet called ShadowExplorer automates the workflow of finding these previous versions and restoring them to a location of choice or the original folder.

ShadowExplorer

The problem is, some crypto ransomware strains execute the “vssadmin.exe Delete Shadows /All /Quiet” command to disable this Windows service. To see whether this technique can work in your case, go ahead and do the following: download ShadowExplorer, install and launch it. Right-click on a random path, for example, Documents and Settings, select the Export feature and pick the directory to which the contents of this folder should be restored. If this helped, proceed with the rest of your data in the same fashion.

Data Recovery Pro

b) Use recovery software
There are solutions that traverse computer drives and connected media in search of obliterated data, and may be able to reinstate it. The reason why tools like Data Recovery Pro can be useful in ransomware-related predicaments is that some of these Trojans erase original versions of files, leaving their enciphered copies on the hard disk. If that’s the case, the above-mentioned application will scan the machine, list all recoverable entries in the scan report, and let you get those items back. Be advised it’s critical to remove the virus for good before you get down to this workaround.

Double-check for GlobeImposter remnants

Do not leave anything to chance when dealing with ransomware. Unless removed efficiently, these threats can relaunch the crypto attack and scramble everything you’ve been struggling to restore using the above methods. To add insult to injury, ransom Trojans may be accompanied by other infections, such as banking malware that steals victims’ sensitive credentials. One way or another, rescan your system to make sure you’re good to go.

Leave a Reply

Your email address will not be published.


*