GlobeImposter Ransomware on the Rise

August 16, 2017  |  Danielle Russell

Ah, the summer anthem. That quintessential song that defines summertime as much as hot nights, barbeques, and beach vacations. Whether it’s the Beach Boys’ “I Get Around” (1964), Springsteen’s “Dancing in the Dark” (1984), or Pearl Jam’s “Last Kiss” (1999), the summer anthem is transcendent, yet perfectly emblematic of its time.

If InfoSec had a 2017 summer anthem, we might be hearing Taylor Swift or Drake singing about ransomware. Wouldn’t that be catchy? That’s because global ransomware campaigns like WannaCry and NotPetya have largely defined the summer season this year, and now, there’s a new ransomware remix topping the charts—GlobeImposter 2.0.

Originally detected in March 2017, GlobeImposter 2.0 targets Windows systems and is being distributed through malicious email attachments (MalSpam). In recent weeks, we’ve seen a surge in activity in the Open Threat Exchange (OTX) around GlobeImposter and its many variants. Thus, it’s important to understand how the ransomware initiates, spreads, and evades detection.

GlobeImposter Ransomware at a Glace

Distribution Method: Malicious email attachment (MalSpam)

Type: Trojan

Target: Windows systems

Variants: many (see below)

How GlobeImposter Works

The recent GlobeImposter attacks have largely been traced to MalSpam campaigns—emails carrying malicious attachments. In this case, the email messages appear to contain a .zip attachment of a payment receipt, which, in reality, contains a .vbs or .js malware downloader file.

Sample email subject lines include:

  • Receipt#83396
  • Receipt 21426
  • Payment-421
  • Payment Receipt 222
  • Payment Receipt#97481
  • Payment Receipt_8812
  • Receipt-351
  • Payment Receipt_03950

Once the attachment is downloaded and opened, the downloader gets and runs the GlobeImposter ransomware. You can get a list of known malicious domains from the GlobeImposter OTX pulse here. Note that some of the known malicious domains are legitimate websites that have been compromised.

Like other pieces of ransomware, GlobeImposter works to evade detection while encrypting your files. After encryption is complete, an HTML ransom note is dropped on the desktop and in the encrypted folders for the victim to find, including instructions for purchasing a decryptor. There are no known free decryptor tools available at this time.

You can read a detailed analysis of a sample of GlobeImposter at the Fortinet blog, here and at Malware Traffic Analysis, here.

GlobeImposter Variants on the Rise

What’s striking about the recent uptick in GlobeImposter ransomware activity is the near-daily release of new variants of the ransomware. Lawrence Abrams at BleepingComputer has a nice rundown of new GlobeImposter variants and file extensions being shared across Twitter and other sources. They include .725, .726, .crypt, .pscrypt, .rose, .ocean, .sea, .490, .492, .lego, .mtk188, .coded, .zuzya, .unlis, .granny, (and yes, even .trump) and more.

It’s likely that new variants, extensions, and other indicators of compromise will evolve in the coming weeks. To stay on the lookout for GlobeImposter ransomware activity, you can subscribe to the OTX pulse here.

It looks as though even after summer ends, ransomware will continue to be a dominate InfoSec threat in 2017. What’s more, with ransomware as a service being legitimized and distributed to new and novice threat actors, more small and medium-sized organizations will likely be targeted. It’s essential to have the right threat detection and incident response tools in place to be able to move quickly when a ransomware attack happens. Read on below to find out how AlienVault helps resource-limited IT security teams do exactly that.

Apart from that, as Harry Styles so appropriately crooned in his 2017 summer anthem, “Stop your crying, baby, it’s a sign of the times.”

How AlienVault Can Help

The AlienVault Unified Security Management (USM) platform brings together the essential security capabilities needed to quickly detect and respond to ransomware attacks like GlobeImposter: asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, SIEM, and log management.

As new threats emerge and existing threats evolve, the AlienVault Labs Security Research Team delivers continuous and automatic threat intelligence updates directly to the USM platform, so you always have the latest threat information about the threat actors, their methods, infrastructure, and tools. This threat intelligence is delivered in ready-to-use formats: correlation rules, IDS signatures, remediation guidance, and more, saving you the time and effort you would have spent in researching threats and operationalizing threat detection and response.

The AlienVault Labs Security Research Team recently updated the known threat information related to GlobeImposter, delivering the updates directly to all USM Anywhere and USM Appliance systems. Learn more about this update and other threat intelligence updates made in the Threat Intelligence Update summary posted on Forums.

One of the threat data sources that the AlienVault Labs Security Research Team leverages is the Open Threat Exchange (OTX), the world’s first truly open and free threat intelligence community that enables collaborative defense with actionable, community-powered threat data. OTX has 65,000 users, who contribute over 14 million pieces of threat data daily. The labs team analyzes those indicators through machine learning with human validation. So, AlienVault USM platform users get the best threat intelligence from the AlienVault Labs Security Research Team, backed by the power of community-sourced threat data from the global InfoSec community. Even if you’re not an AlienVault USM platform user, you can still join and participate in OTX. It’s free to join, so sign up today!

To learn more about ransomware and how to defend against it with the AlienVault Unified Security Management (USM) platform, download our new “Beginner’s Guide to Ransomware.”

Share this with others

Get price Free trial