GLOBELIMPOSTER RANSOMWARE

michael-geiger-JJPqavJBy_k-unsplash

Introduction

GlobeImposter ransomware made its first appearance in 2017 as it was being distributed through a “Blank Slate” phishing campaign with a malicious ZIP file attachment.
Attacks involving the GlobeImposter ransomware have been frequent and have been recorded to target organisations of any size from many countries especially the United States, and countries in Europe and Asia
There is no decryptor for any of the active variants of the GlobeImposter ransomware and the average ransom required is $105,000 in Bitcoin which can be paid via email addresses provided in the ransomware note.

Modus Operandi

Initial access

The infection vector used by the threat actors are “Blank Slate” phishing email campaigns where the email is left blank and just contains a malicious zip file attachment. Other infection vectors that have been observed, where GlobeImposter was embedded within free online software, or was installed in the background by comprised websites via software vulnerabilities whenever the victim visits a compromised website.

Installation

When the victim opens the malicious zip file, it executes an obfuscated Javascript which attempts to download the GlobeImposter payload from a predetermined domain from a list of hardcoded domains. Then GlobeImposter installs itself into the target’s temp directory and configures itself into the system registry as an auto-run item so it will run whenever the compromised machine starts and therefore has the ability to check for newly created files and encrypt them. GlobeImposter checks for a .tmp file in the “%TEMP%” folder called qfjgmfgmkj.tmp, if the .tmp file isn’t found, then GlobeImposter creates three files, qfjgmfgmkj.tmp, hjkhkHUhhjp.bat and how_to_back_files.html. If the .tmp file is found, then GlobeImposter stops the attack and removes itself.

Encryption

Firstly, GlobeImposter scans for all the files in all the compromised machines, before it generates 2048-RSA encryption keys for all the files and pulls a unique ID for the target’s machines from a C&C server. During the generation of the RSA keys, GlobeImposter run the hjkhkHUhhjp.bat script to clear any traces of attack so the RDP default settings, RDP history, shadow copies, and security logs are removed. GlobeImposter also attempt to kill processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names by executing “taskkill” and “net stop”. Then GlobeImposter encrypts the contents of the files and overwrites the original content. The unique ID is appended to encrypted content before GlobeImposter add “..726” to each filename of all the encrypted files. Finally, GlobeImposter runs the .bat script again to clear up any remaining traces of the attack before the ransom note is downloaded to each compromised machine with encrypted files.