GlobeImposter Ransomware: In-Depth Analysis, Detection, and Mitigation
What Is GlobeImposter Ransomware?
GlobeImposter (aka LOLKEK) ransomware has been in existence since 2016. It is usually distributed through phishing emails containing malicious or links to such attachments. Over the years, GlobeImposter has evolved with new versions and variations emerging regularly. The name “GlobeImposter” comes from its mimicry of Globe ransomware payloads. GlobeImposter is also related to TZW ransomware.
The ransomware has also been used in conjunction with some well-documented advanced persistent threat (APT) attacks. For example, in 2017, TA505 (aka G0092, GOLD TAHOE), began using GlobeImposter (replacing the likes of Jaff, GandCrab, and Snatch) to extend the reach and effectiveness of their campaigns.
How Does GlobeImposter Ransomware Work?
First observed in the wild starting in 2016, the name “GlobeImposter” is based on the ransomware’s mimicry of Globe ransomware payloads. Multiple new versions and variations of GlobeImposter have appeared in the years since. Frequently, these have been referred to by their extension (e.g., .DREAM, .Nutella, .NARCO, .LEGO). However, these are all part of the same umbrella malware family. In that same year, Emisoft released a decryption tool for early versions of GlobeImposter. Shortly after, the malware authors responded with an updated version for which no decryption tools are available.
GlobeImposter has also been distributed as a later-stage infection within some well-known botnets. For example, in 2017, GlobeImposter was distributed via the Necurs botnet. This occurred as part of multiple spam campaigns that also included 7zip archives and followed the execution flow previously described.
GlobeImposter is delivered via phishing email as an attachment, or a link to a malicious payload. Payloads are distributed as 7zip archives or similar. These archives contain the malicious JavaScript (.js) which is the GlobeImposter payload. Upon infection, victims are directed to a TOR-based URL (.onion) in order to initiate communication with the attackers.
How to Detect GlobeImposter Ransomware
The SentinelOne Singularity XDR Platform can identify and stop any malicious activities and items related to GlobeImposter Ransomware.
In case you do not have SentinelOne deployed, detecting GlobeImposter ransomware requires a combination of technical and operational measures designed to identify and flag suspicious activity on the network. This allows the organization to take appropriate action, and to prevent or mitigate the impact of the ransomware attack.
To detect GlobeImposter ransomware without SentinelOne deployed, it is important to take a multi-layered approach, which includes the following steps:
- Use anti-malware software or other security tools capable of detecting and blocking known ransomware variants. These tools may use signatures, heuristics, or machine learning algorithms, to identify and block suspicious files or activities.
- Monitor network traffic and look for indicators of compromise, such as unusual network traffic patterns or communication with known command-and-control servers.
- Conduct regular security audits and assessments to identify network and system vulnerabilities and ensure that all security controls are in place and functioning properly.
- Educate and train employees on cybersecurity best practices, including identifying and reporting suspicious emails or other threats.
- Implement a robust backup and recovery plan to ensure that the organization has a copy of its data and can restore it in case of an attack.
How to Mitigate GlobeImposter Ransomware
The SentinelOne Singularity XDR Platform can return systems to their original state using either the Repair or Rollback feature.
In case you do not have SentinelOne deployed, there are several steps that organizations can take to mitigate the risk of GlobeImposter ransomware attacks:
1. Educate Employees
Employees should be educated on the risks of ransomware, and on how to identify and avoid phishing emails, malicious attachments, and other threats. They should be encouraged to report suspicious emails or attachments, and to avoid opening them, or clicking on links or buttons in them.
2. Implement Strong Passwords
Organizations should implement strong, unique passwords for all user accounts, and should regularly update and rotate these passwords. Passwords should be at least 8 characters long, and should include a combination of uppercase and lowercase letters, numbers, and special characters.
3. Enable Multi-factor Authentication
Organizations should enable multi-factor authentication (MFA) for all user accounts, to provide an additional layer of security. This can be done through the use of mobile apps, such as Google Authenticator or Microsoft Authenticator, or through the use of physical tokens or smart cards.
4. Update and Patch Systems
Organizations should regularly update and patch their systems, to fix any known vulnerabilities, and to prevent attackers from exploiting them. This includes updating the operating system, applications, and firmware on all devices, as well as disabling any unnecessary or unused services or protocols.
5. Implement Backup and Disaster Recovery
Organizations should implement regular backup and disaster recovery (BDR) processes, to ensure that they can recover from ransomware attacks, or other disasters. This includes creating regular backups of all data and systems, and storing these backups in a secure, offsite location.
The backups should be tested regularly, to ensure that they are working, and that they can be restored quickly and easily.
GlobeImposter Ransomware FAQs
What is GlobeImposter ransomware?
GlobeImposter is a ransomware family that first appeared in 2017. It will encrypt your files and demand payment for decryption. The ransomware impersonates the original Globe ransomware but has distinct differences. You can identify it by its ransom notes and file extensions. GlobeImposter has evolved through multiple variants and continues to target vulnerable systems.
Who is the target audience of GlobeImposter ransomware?
GlobeImposter primarily targets small to medium businesses and educational institutions. They will attack organizations with valuable data and weak security. If you work in healthcare or finance, you’re at higher risk. The attackers look for victims who can pay ransoms but lack robust security. You should be especially vigilant if your organization has limited IT resources.
What encryption methods does GlobeImposter ransomware use?
GlobeImposter uses a combination of AES-256 and RSA-2048 encryption algorithms. It will encrypt your files with AES and protect the encryption key with RSA. You cannot break this encryption without the private key. The ransomware generates unique keys for each infection. They will store the only copy of the decryption key on their servers.
What file extensions are appended by GlobeImposter ransomware?
GlobeImposter adds extensions like .crypt, .decrypt2017, and .GlobeImposter to encrypted files. You will see these appended to your original filenames. The ransomware sometimes uses random character strings instead. They will modify all supported file types on your system. Different variants use different extension patterns, but all make files inaccessible.
How does GlobeImposter gain initial access to a victim's system?
GlobeImposter typically enters systems through phishing emails with malicious attachments. They will also exploit weak RDP passwords through brute force attacks. If you have exposed RDP ports, you’re at high risk. The attackers sometimes use trojanized downloads and compromised websites. You should be wary of unexpected email attachments, even from familiar senders.
What ransom note does GlobeImposter leave behind?
GlobeImposter leaves ransom notes named “how_to_back_files.html” or similar variations. The note will contain payment instructions and contact information. You will find these HTML files in folders with encrypted data. They will typically demand Bitcoin payment. The note includes a unique victim ID and deadline for payment before price increases.
What are the indicators of compromise (IOCs) for GlobeImposter?
IOCs for GlobeImposter include ransom notes named “how_to_back_files.html” and files with suspicious extensions. You will see registry modifications for persistence. The ransomware creates specific mutexes to prevent reinfection. They will contact command and control servers. You should check for unusual PowerShell commands and disabled security services in logs.
How can I detect if my system is infected with GlobeImposter?
You can detect GlobeImposter by looking for files with extensions like .crypt or .GlobeImposter. If you cannot open your documents and see ransom notes, you’re infected. The ransomware will leave HTML files in multiple folders. You might notice performance issues during encryption. They will often disable Windows Defender and other security tools.
How can I prevent a GlobeImposter ransomware infection?
You can prevent GlobeImposter by implementing strong email filtering and security awareness training. Secure or disable RDP services if not needed. You should apply security patches regularly to all systems. Back up your data frequently and store backups offline. They will have harder time spreading if you segment your network properly.
Are antivirus or EDR solutions effective against GlobeImposter?
Most updated antivirus solutions can detect known GlobeImposter variants. You should keep these security tools current with latest signatures. The more advanced EDR solutions will catch suspicious behaviors. If you use behavior-based detection, you’re better protected against new variants. They will have trouble evading layered security approaches.