Type
File Name
Location
GlobeImposter was first discovered in December 2016 in enterprise cloud environments. GlobeImposter is found in environments with a number of different names, including Fake Globe, GlobeImposter NextGen, FakeGlobeImposter, GlobeImposterImitator, etc. For a full list of all names, please see below.
Name
GlobeImposter
First Seen
December 2016
GlobeImposter is known to target specific file types. Below are all known file types that GlobeImposter is known to infect.
In some cases, ransomware will update the modified date, when it encrypts files. GlobeImposter updates the last modified date of the file it targets.
Some ransomware will change or append a suffix to the end of the file after they are encrypted, including changing the extension of a file. Here are some of the possible suffixes that GlobeImposter ransomware is known to change.
Suffixes
.hotprice8, .SEXY+, .crypted_nakanishi@india_com, .Rooster4444, .[Zfile@Tuta.Io], .write_us_on_email, .apk, .suddentax, .sea, .crypt, .[paradisecity@cock.li].arena, .pizdec, .FIX, .keepcalm, .FIXI, .vdul, .2cXpCihgsVxB3, .hNcrypt, .virginprotection, .oni, .707, .s1crypt, .au1crypt, .GOTHAM, .HAPP, .{asnaeb7@india.com}.BRT92, .725, .skunk, .mtk118, .coded, .astra, .492, .490, ..txt, .rumblegoodboy, .0402, .4035, .trump, .{saruman7@india.com}.BRT92, .lock, .BUSH, .f1crypt, .clinTON, .nopasaran, .crypted_steffevendeng@post_com, .911, .f41o1, .foste, .MAKGR, .pliNGY, .POHU, .foster, .fuck, .Chartogy, .crypted_urid@aaathats3as.com, .CHAK, .LIN, …doc, .decoder, .crypted_yoshikada@cock_lu, .
Not all ransomware leaves a note. However, some ransomware leaves the infected party instructions on what the user should do to get rid of the ransomware, or satisfy the ransom. This often involves transferring money, often bitcoin or another cryptocurrency to a designated wallet.
Below are the type(s) of notes, content, and typical locations where Elastio has found ransom notes from GlobeImposter.
Type File Name Location file Help Restore.hta EveryFolder file recover files.hta EveryFolder file read_it.txt EveryFolder file read-me.txt EveryFolder file how_to_back_files.html EveryFolder file RECOVERY_DARKBIT.txt EveryFolder file Read___ME.html EveryFolder file free_files!.html EveryFolder file RECOVER-FILES.html EveryFolder file #HOW_DECRYPT_FILES#.html EveryFolder file $DECRYPT_YOUR_FILES$.html EveryFolder file !back_files!.html EveryFolder file here_your_files!.html EveryFolder file !your_files!.html EveryFolder file YOU_FILES_HERE.txt EveryFolder file !SOS!.html EveryFolder file READ_IT.html EveryFolder file instructions.html EveryFolder file READ__ME.html EveryFolder file HOW_TO_BACK_FILES.txt EveryFolder file support.html EveryFolder file Restore-My-Files.txt EveryFolder file HOW_RECOVER.html EveryFolder file !INSTRUCTI0NS!.TXT EveryFolder file how_to_open_files.html EveryFolder file help you.txt EveryFolder file Decryption INFO.html EveryFolder
These are the names of the executables that contain the undetonated ransomware payload for GlobeImposter.
Executables
cyber_chinya.exe, подтверждение.exe, gen_vk.exe, 2-0.5.exe, oni.exe, oni.exe_org, 9b.exe, d104.exe, kqhtzxaerb.exe, StandardSignals, Shown, spacelol.kaf_decrypted, ???? – ????? ????????.scr, DOCU11072017 – ?????.scr, Июль – новый документ.scr, Копия за июль.scr, DOCU11072017 – копия.scr, file.scr, Июль – новый документ.scr, – .scr, Trojan.Ransom.GlobeImposter.exe, Purgen.exe, GlobeImposter_Gotham_Variant.exe, svchost.exe, globeimposter_gotham_variant.exe, GlobeImposter_Happ_or_Crypt_Variant.exe, PascalABCNET.exe, 26591.exe, executable.exe, HPLaserJetService.exe, globe.exe, 3, 3.2, INV-000342.vbs, System.exe, 1.dat, 113810.exe, 174394.exe, 1.dat.exe, Modifiable Irqs, Interl thesaurus service.exe, 30.exe, 30.11.2017.scr, 30 ???????.scr, 2.exe, 30 .scr, 30 октября.scr, globeimposter.exe, 1.exe, moi_09_11_2017.exe, chess.exe.old, chess.exe, GlobeImposter.exe, 06c82e99.gxe, UYTd46732, UYTd46732.exe, 06.12.17.scr, 06.12.17 ?????.scr, 06.12.scr, tOldHSYW, extract-1513991782.382514-HTTP-FOSLGGC6wGdwbGkB3.raw, extract-1513991782.382514-HTTP-FOSLGGC6wGdwbGkB3 (3).raw, extract-1513991782.382514-HTTP-FOSLGGC6wGdwbGkB3 (2).raw, extract-1513991782.382514-HTTP-FOSLGGC6wGdwbGkB3 (1).raw, file.exe, rWRCCRTqJ2.exe, tOldHSYW.exe, d42fe4c0-e9b5-11e7-9688-80e65024849a.file, a (144).exe, virus (110).exe, 3c701aa9.gxe, myfile.exe, toldhsyw.exe, Nbd, 22 ??????.scr~.~VIRUS~, 22 ??????.scr, 22 января 2018.scr, 22 янв.scr, 22 ???????????.scr, 22 янв.xxx, 22 янв.scr (3), 22 ?????? 2018.scr, 22 .scr, 22 ???.scr, 64secondmix.exe, service_viewer.exe, IntelManagerService.exe, suspect01.exe, Resume.doc.bin, conhost.exe, cmd, Intel Core Update.exe, globeimposter, SEXY3.EXE, 勒索.exe, test_v.doc, svhost.exe, font.bin, font.exe, 1anami2.exe, abat.exe, cmd.exe, _ski_.exe, BulkFileChanger, BulkFileChanger.exe, 43755.exe_, graf, Graf_b2.exe, velasquez.joeli.exe, TlJjg.bin, rdfg546fgh.exe, dplaysvr.exe, ChromeSetup.exe, 9CXZLII4.exe, _lio_.exe, DJ0507.EXE, tanos.exe, Erenahen.exe, _gke_.exe, _ayr_.exe, d_upd1008.exe, SYSTEM.EXE, lorena.bin, HAPPYTHREE.EXE, _aro.exe, __aro.bin, lockisdog.bin, lockisdog.exe, _yosKa4_.exe, IntelTheasurusService.exe, lock.exe, HAPPYTHREE.EXE.exe, winlogon.exe, bit.exe, sb_373999_bs, 8curse.exe, 重要書類.exe, darkbit.exe, Tenorshare 4mekeyy.exe, wlnlogon.exe, TuRKey_RanSOmWarE.exe, System.ini.exe, TuRKey_RanSOmWarE.bin, Netflorist Coupon Generator.exe, Netflorist.exe, f0l883C310jlvRp.exe, clown.exe, ETH 200.exe, sql_service.exe, software.exe, star.exe, 1[1].dat, apkcrypt.exe, zmt.exe, rooster4444.exe, xrzrgjts.exe, ADOBE ACROBAT UPDATE SERVICE.EXE, FastEncrypt.EXE, _nak_.exe
Ransomware often links to external pages such as payment pages, telegram contacts, etc. Below are some of the URLs Elastio has found to be associated with GlobeImposter.
External Pages