19-Nov-2019 03:47

The message is located in "Decryption instructions.txt", "Decryptions instructions.txt", "README.txt", "Readme to restore your files.txt" or "HOW TO DECRYPT YOUR DATA.txt" on the user's desktop.

Also, the desktop background is changed to one of the pictures below.

This ransomware spreads on Mac OS X (version 10.11 or newer).

The encryption is based on creating ZIP files - each encrypted file is a ZIP archive, containing the original document.

Also, in July 2018, FBI released master decryption keys for versions 4-5.2.

Find Zip is a ransomware strain that was observed at the end of February 2017.The ransomware also creates a text file named "GDCB-DECRYPT.txt", "CRAB-DECRYPT.txt", "KRAB_DECRYPT.txt", "%Random Letters%-DECRYPT.txt" or "%Random Letters%-MANUAL.txt" in each folder. Globe adds one of the following extensions to the file name: ". GSupport[0-9]", ".blackblock", ".dll555", ".duhust", ".exploit", ".frozen", ".globe", ".gsupport", ".kyra", ".purged", ".raid[0-9]", "[email protected]", ".xtbl", ".zendrz", ".zendr[0-9]", or ".hnyear".Furthermore, some of its versions encrypt the file name as well. How_To_Decrypt.txt) will display a variant of this message: After encrypting your files, Bart changes your desktop wallpaper to an image like the one below.

However, if the server is not available or if the user is not connected to the internet, the ransomware will encrypt files with a fixed key ("offline key").Important: The provided decryption tool only supports files encrypted using an "offline key".