GlobeImposter ransomware made its first appearance in 2017 as it was being distributed through a “Blank Slate” phishing campaign with a malicious ZIP file attachment.
Attacks involving the GlobeImposter ransomware have been frequent and have been recorded to target organisations of any size from many countries especially the United States, and countries in Europe and Asia
There is no decryptor for any of the active variants of the GlobeImposter ransomware and the average ransom required is $105,000 in Bitcoin which can be paid via email addresses provided in the ransomware note.
The infection vector used by the threat actors are “Blank Slate” phishing email campaigns where the email is left blank and just contains a malicious zip file attachment. Other infection vectors that have been observed, where GlobeImposter was embedded within free online software, or was installed in the background by comprised websites via software vulnerabilities whenever the victim visits a compromised website.
Firstly, GlobeImposter scans for all the files in all the compromised machines, before it generates 2048-RSA encryption keys for all the files and pulls a unique ID for the target’s machines from a C&C server. During the generation of the RSA keys, GlobeImposter run the hjkhkHUhhjp.bat script to clear any traces of attack so the RDP default settings, RDP history, shadow copies, and security logs are removed. GlobeImposter also attempt to kill processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names by executing “taskkill” and “net stop”. Then GlobeImposter encrypts the contents of the files and overwrites the original content. The unique ID is appended to encrypted content before GlobeImposter add “..726” to each filename of all the encrypted files. Finally, GlobeImposter runs the .bat script again to clear up any remaining traces of the attack before the ransom note is downloaded to each compromised machine with encrypted files.