GlobeImposter Ransomware: What To Do If You’re Infected

Tetra Defense looks back at some ransomware strains we’ve seen as the past oftentimes informs the present. Learn how Globe Imposter Ransomware operated to stay updated on possible future strains. 

What is GlobeImposter Ransomware?

The GlobeImposter ransomware family first appeared around August of 2017. In early 2019, GlobeImposter ransomware underwent extensive modifications, after which the authors re-released it, causing havoc around the world and crippling businesses in the United States, Europe, and Asia. This ransomware variant was referred to as “GlobeImposter V2” or “GlobeImposter 2.0.”

The impact of GlobeImposter V2 was so severe that between April and September 2019, GlobeImposter 2.0 accounted for an estimated 6.5% of all ransomware strains detected. One of the most high profile victims was A2 hosting, where it reports stated that for over a week, all Windows Server/Windows Desktop hosted systems were down to contain the ransomware outbreak, impacting a large number of disgruntled customers.

The hacking teams behind GlobeImposter sold the ransomware on the dark web for a fixed price plus a 10% fee for each successful ransom. In this ransomware-as-a-service model, the malware writers offered regular updates to the code to help its users stay one step ahead of security professionals.

There have been numerous versions of GlobeImposter, and cybersecurity experts are aware of at least five strains, with builds 726 (the original strain) and 792 (the re-released strain) having the most significant impact on end-users.

Distributors of GlobeImposter ransomware use various attack vectors to deliver the payload. One method, a “blank slate” spamming campaign, is a popular method of delivery. In this method, prospective victims receive a blank email with an anonymized malicious zip file attachment.  The aim is for the curious victim to open the attachment, which contains the GlobeImposter payload.

Cybersecurity experts have also reported the GlobeImposter ransomware as being packaged within hijacked application downloads as a free add-on. In such a case, GlobeImposter installs during the setup process of the application, and victims that skip or do not read the install process inadvertently install the payload.

How Does GlobeImposter Ransomware Work?

While each version of GlobeImposter works in a slightly different manner, all variants follow a basic pattern of behavior. After successfully infecting a victim’s computer, the malware pulls the payload from the Internet. Windows hibernation modes are then disabled to prevent the computer from going to sleep.

The payload copies itself to all available admin shares and copies auto-startup information and key variables in the Windows registry. The payload also clears RDP default settings, including the cached hostnames from the Remote Desktop Connection application. While experts are not entirely sure why this happens, it is likely a feature reserved for future use, or it might be a way to hide evidence of unauthorized access via an RDP vulnerability.

Next, the payload generates 2048-RSA encryption keys and checks in with a “command and control” server to create a unique user ID assigned to the victim’s device to prepare to encrypt files on the targeted computer. Before files are encrypted, GlobeImposter calls the process taskkill.exe and kills several running processes, including “sql,” “outlook,” “ssms,” “postgre,” “1c,” “excel,” and “word.” Killing these processes may improve the successful encryption rate of user files because if an associated application has a lock on a file, it would typically get bypassed by the ransomware.

After the encryption process has completed, a ransomware note is created within encrypted folders, demanding payment in bitcoin to unlock the files. The ransom note contains the email address to use to contact the malware distributor and a threat that the ransom will double every 48 hours, as well as the Unique ID generated during the deployment phases of the ransomware.

The ransom note contains directions for how to make the ransom payment and includes the address of a website on the darknet. The victim is required to upload one of the ransomware notes to the site. Then, the page reads the unique ID, generates a personalized ransom demand, and displays the bitcoin wallet for payment.  The site also contains a decryptor page where the victim can upload up to three files, which are unencrypted as proof the threat actors can unlock the files.

How Do I Prevent GlobeImposter Ransomware?

There is currently no publicly available decryptor for GlobeImposter ransomware virus. Fortunately, the majority of antivirus products and Windows’ built-in anti-malware application, Windows Defender, has been updated to identify the GlobeImposter application strings and block the malware.

Some antivirus products did not detect a variety of the first strains of GlobeImposter. Thankfully, this has now been resolved, with only a handful of lesser-known AV products not recognizing the signatures. This example is a good reminder that it is essential to ensure that you are running the very latest antivirus definitions.

Additionally, all servers need patching to the latest security levels. Proper patching ensures that your version of Microsoft Windows has protection against the latest known vulnerabilities. A regular update schedule should include daily antivirus updates, and sysadmins might want to consider deploying integrated anti-malware technology and endpoint monitoring solutions.

How Do I Remove GlobeImposter Ransomware?

Unfortunately, as there is no publicly available decryptor for GlobeImposter ransomware virus encrypted files, your only options are to pay the ransom and hope you get your files back and recover data that was lost or preferably, to restore from backup.

Tetra Defense never recommends paying a ransom to recover encrypted files unless it is the last resort. If you are in the untenable position of not having a backup for restoring data, and you urgently need your encrypted files back, we recommend you contact the incident response experts at Tetra Defense.

When it comes to ransomware incident response, Tetra Defense prioritizes restoration to get businesses back to where they were before the ransomware attack. We perform ransomware restoration and investigations simultaneously, so you return to normal operations as quickly as possible, while at the same time you are getting answers.

Our teams are standing by to focus on what matters most: your business! We will investigate the attack and perform an initial assessment to identify the best course of action to address the ransomware incident. If deemed necessary, we can conduct ransom negotiations and can facilitate payment of ransom.

We will remove the threat from your system, ensure that your network is secure, and conduct malware scans and network threat hunting. Tetra leverages each incident to learn from the ransomware attack and to discover the root cause. Once Tetra obtains decryption keys, we decrypt the data and get systems restored to full functionality as quickly as possible.

Example of Globe Imposter Ransom Note

Get Help with Globe Imposter Ransomware

If you’re ready to get help removing GlobeImposter ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment and build a plan to get your network up and running once again.

Check out some related content on our blog: