In this article, you will be learning about a recent Ransomware- GlobeImposter, which is distributed through emails.
What is GlobeImposter?
GlobeImposter is a ransomware-type malicious virus that mimics Purge (Globe) ransomware. The new strain of GlobeImposter Ransomware has been seen, and it is most likely distributed through emails. Malicious codes are compressed into a zip archive and sent to the end-user. It is a ransomware application that will encrypt files on victim machines and demands payment to retrieve the information. The GlobeImposter Ransomware is also known as the Fake Globe ransomware family. It may be distributed through a malicious spam campaign, recognizable only with their lack of message content and an attached ZIP file.
Once the code is executed, the malicious payload is collected from a variety of different domains and starts encrypting files on the victim’s endpoint. Logs and Windows restore points will be deleted, which makes the restoration attempt much more difficult. When the files have been encrypted, the victim is asked to pay a ransom fee of 0.3 bitcoins, which is around $1000 to retrieve the encryption key. The ransom fee must be paid within 48 hours, or the ransom fee gets doubled.
About the Threat:
The malware is assessed to be another strain of the GlobeImposter Ransomware family, and it infects the files on the victim’s drive. The activity in PassiveTotal it indicates that the pressure was first released in August 2017, and was hosted on a variety of different IPs. Similar to other Ransomware, the system files are left alone, and only documents and other end-user valuable files are encrypted. The malware has the ability to remove Windows backups and clean up log post-infection.
- The new strain is distributed through an email with a zip archive containing a malicious JavaScript.
- The JavaScript will then contact different domains to collect malicious payload.
- Once the Javascript is compressed to archive is executed, it tries to download the payload from the present domains specified.
- The payload is saved in the user’s temp directory and executed directly after the download.
- Specified domains and IPs mentioned in the IOS section below are collected from two different active samples, but reviewing the activity for ‘trombositting[.]org’ in PassiveTotal indicating that the domain has been hosted on several different IPs since the first of August 2017.
- A simple .bat script is built from the payload used to clean up the machine before and after the encryption is started. RDP history, Windows shadow copies, and logs will be removed from the infected endpoint.
- The extension ‘.726’ gets added to all encrypted files.
- The user is given 48 hours to pay the ransom consisting of 0.3 bitcoins, which are around $1000. If the ransom is not paid within 48 hours, the fee gets doubled. The victim sends one file for decryption to the criminals to verify that the decryption works.
The HTA file contains ransom-demand messages. The messages are short as compared to other ransomware-type viruses and simply state that the files are encrypted and that a ransom amount of 1 Bitcoin must be paid for restoring. In case of decryption without a unique key, cybercriminals store the key on a remote server, and victims are encouraged to pay for it. Paying doesn’t guarantee that your files will ever be decrypted. If, in any case, your computer has been infected with decryptable ransomware, the problem can only be resolved by restoring your files/systems from a backup.
The same behaviors are seen in similar ransomware: Type of cryptography — the size of the ransom. Therefore, be very cautious while opening files received from suspicious emails or while downloading software from unofficial sources.
Data held threat actors can use hostage that wasn’t given back to the users or deleted after the ransom has been paid for 1. sell on the black market, 2. create a profile of the user they can use for fraud.
Symptoms:
Ransom.GlobeImposter runs silently in the background during the encryption phase and not provide any indication of infection to the user. Ransom.GlobeImposter may prevent the execution of Antivirus programs and other Microsoft Windows security features and may prevent system restoration as a means for payment. Or Ransom.Crptomix may display a warning after secure encryption of the victim machine.
Threat Summary:
- Name: GlobeImposter Virus
- Threat Type: Ransomware, Crypto virus, files locker
- Detection Names: Avast (FileRepMalware), BitDefender (Generic.Ransom.GlobeImposter.817E85C2), ESET-NOD332 (A variant of Win32/ Filecoder.FV), Full List (Virus Total)
- Symptoms: Can’t open files stored on your computer, previously functional files now have a different extension.
- Distribution methods: Infected email attachments (macros), torrent websites, malicious ads.
- Damage: All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with ransomware infection.
Things to do when your system gets Infected:
Step 1 for Removal of Virus:
For Windows XP and Windows 7 users:
- Start your computer in Safe Mode.
- Click Start, click Shut Down, click Restart, click OK.
- During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu
- Then select Safe Mode with Networking.
Windows 8 users:
- Start Windows 8 in Safe Mode with Networking.
- Go to Windows 8 Start Screen
- Type Advanced and select Settings.
- Click Advanced startup options – General PC Settings
- Click on Advanced startup.
- Click the ‘Restart now’ button – Computer will restart into the Advanced Startup options menu.
- Click the ‘Troubleshoot’ button.
- Click on the ‘Advanced Options’
- Click ‘Startup settings’, ‘Restart’ button.
- Press F5 to boot in Safe Mode with Networking.
Windows 10 users:
- Click on Windows logo and select the Power icon,
- Click ‘Restart’ while holding ‘Shift’ button.
- In ‘Choose an Option,’ click on ‘Troubleshoot.’
- Next, click on Advanced options.
- Select ‘Startup Settings’ in the menu and click on ‘Restart’ button.
- Press F5 button on your keyboard. This will restart your operating system in safe mode with networking.
Step 2 for Removal of virus :
- Go to the account infected with GlobeImposter virus.
- Start your Internet Browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan.
- Remove all entries detected.
- If your computer cannot start in Safe mode with Networking, try performing a System Restore.
- During the computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears.
- Select Safe Mode and press ENTER.
- When Command Prompt mode loads, enter – cd restore and press ENTER.
- Next type – rstrui.exe and press ENTER.
- In the opened window, click Next.
- After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining GlobeImposter ransomware files.
The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. It is an essential part of understanding and learning that how you can defend your system against them in the future. Applying common sense while browsing the web can really save you a lot of trouble. Are you interested to know more about cybersecurity? Well, head towards the latest topic – Yellow Camera, and how you can be safe while using the beautification apps.
The app named ‘Yellow Camera’ app on Google Play that is capable of reading SMS verification codes from System Notifications. The malicious vulnerability is implanted within the routine SMS verification codes from the System notifications. It activates a Wireless Application Protocol (WAP) billing. Yellow Camera App is quite popular in South Asian countries. The app targets users from these regions, and it is continuously expanding their target areas. A similar fraud app was detected by the researchers on the iOS App Store. To know more, visit here!!
Stay Updated. Stay Protected!