loader gif

A Glance At The Ever-evolving Globeimposter Ransomware

access, antivirus, attack, business, computer, concept, cyber, cybercrime, danger, data, encrypt, encrypted, encryption, hacker, immunization, infected, infection, information, internet, key, lock, macro, mail, malicious, malware, money, network, online, pay, phishing, piracy, pirate, protect, protection, ransom, ransomware, risk, safe, safety, secure, security, software, spam, spyware, technology
  • GlobeImposter, also known as Fake Globe, is primarily distributed through a Zip file that comes attached within malicious emails.
  • In some cases, it is also distributed via exploits, malicious advertising, fake updates and repacked infected installers.

Cyberattack instances involving Ransom.GlobeImposter, also known as GlobeImposter, are increasing over the year. The ransomware has not only evolved in terms of capabilities but has also spanned its infection across numerous organizations.

According to various reports, the ransomware strain along with its variants have appeared in relatively small, sporadic email campaigns. Between April and September 2019, GlobeImposter 2.0 accounted for 6.5% of all ransomware strains detected.

How does it spread?

GlobeImposter also known as Fake Globe is primarily distributed through a Zip file that comes attached within malicious emails. However, in some cases, it is also distributed via exploits, malicious advertising, fake updates and repacked infected installers.

How does it work?

Once the ransomware arrives on compromised computers, it creates the following files:

  • %Temp%\qfjgmfgmkj.tmp
  • %Temp%\hjkhkHUhhjp.bat
  • [PATH TO ENCRYPTED FILES]\how_to_back_files.html

Later it checks for the existence of the following file:

  • %Temp%\qfjgmfgmkj.tmp

If the file exists, the ransomware exits and does not infect the system. However, it goes on to infect systems in which the ransomware does not find the file.

GlobeImposter encrypts files on all drives on the compromised computer and appends them with .crypt extension.

After encrypting, the ransomware deletes shadow copies on the compromised computer and displays a ransom note. The ransom note asks the victim to make the payment in Bitcoins (between 1 and 10) for the files to be decrypted.

Variants

In 2018, the 360 TotalSecurity team had highlighted there are more than 20 varieties of GlobeImposter ransomware and is still growing wildly.

The most prominent of them is the GlobeImposter version 2.0. The variant has was first spotted in May 2019 infecting the operations of a US-based web hosting provider A2 for almost eight days.

The ransomware was also behind the attack on Auburn Food Bank in King County, Washington.

loader gif