Please ensure Javascript is enabled for purposes of website accessibility
+30 2106897383 info@tictaclabs.com

GlobeImposter Ransomware

Globeimposter 2.0 Ransomware Profile

GlobeImposter first appeared in August 2017. It is also known as Fake Globe since it imitates the Globe Ransomware family. In early 2019, GlobeImposter was modified several times until its creators ended up in its most dangerous version of GlobeImposter V2 or GlobeImposter 2.0. Moreover, it has attacked organisations of various sizes on all continents, causing major disasters. In particular, Globeimposter accounts for 6.5% of all ransomware attacks between April and September 2019.

Additionally, it is a ransomware, which its creators promote for sale on the dark internet, receiving a commission of 10% for each successful attack. In particular, Globeimposter creators promote it by promising free regular updates of the code. In this way they guarantee the effectiveness of the attacks in order to be prefered by potential cyber criminals. Finally, while there are several variants, 5 of them are identified.

What is the amount of ransom requested?

The average ransom demand – according to February 2021 figures – is $105,000, generally ranging from $7,500 to $70,000. Globeimposter managers target both large and small businesses. Consequently, the amount of ransom requested varies and can be either very low or very high.

It is worth noting that the administrators of Globeimposter are reliable about the delivery and correct operation of the decryption tool, after the victim has paid the ransom.

Globeimposter 2.0 Table Profile

Name GlobeImposter 2.0 Virus / GlobeImposter 2.0 Ransomware
Attack level Very Serious.  The danger is very high.  System changes and files are encrypted
Os affected Windows
Release date  August 2017
Appended file extensions .CRYPT, .PSCrypt, .FIX, .FIXI, nCrypt, .Virginlock, .keepcalm, .pizdec, crypted!, .write_us_on_email, .write_on_email, .write_me_[email], A1CRYPT, .hNcyrpt, .cryptall, .402, .4035, .4090, .4091, 452, .490, .707, .725, .726, .911, .cryptch, .ocean, .nopasaran, .s1crypt, .scorp, .sea, .skunk , .3ncrypt3d, .707, .medal, .FIXI, .TROY, .VAPE, .GRAF, .GORO, .MAKB, .HAPP, .BRT92, .HAIZ, .MORT, .MIXI, JEEP, .BONUM, .GRANNY, .LEGO, .RECT, .UNLIS, .ACTUM, .ASTRA, .GOTHAM, .PLIN, .paycyka, .vdul, .2cXpCihgsVxB3, .rumblegoodboy, .needkeys, .needdecrypt, .bleep, .help, .zuzya, .f1crypt, .foste, .clinTON, .ReaGAN, .Trump, .BUSH, .C8B089F, .decoder, .Uridzu, .f*ck, .Ipcrestore, .encen, .encencenc, .{email@aol.com}BIT, [email@cock.li].arena, .waiting4keys, .black, .txt, .doc, .btc, .wallet, .lock, .FREEMAN, .apk, .crypted_yoshikada@cock_lu (Yoshikada Decryptor), .crypted_zerwix@airmail_cc (Zerwix Decryptor), .suddentax, .XLS, .Nutella, .TRUE, TRUE1, .SEXY, .SEXY3, .SKUNK+, BUNNY+, .PANDA+, .ihelperpc, .irestorei, .STG, [.dsupport@protonmail.com], .legally, .BAG, .bad, .rose, .MTP
Ransom note easily visible HOW_OPEN_FILES.hta or how_to_back_files.html
Contact with attacker via email address keepcalmpls@india.com, happydaayz@aol.com, strongman@india.com, byd@india.com, xalienx@india.com, 511_made@cyber-wizard.com, btc.me@india.com, bizarrio@pay4me.in, mattpear@protonmail.com, btc2017@india.com, xalienx@india.com, parbergout@keemail.me, parbergout@india.com, chrispatten@tutanota.com

What is the timetable of such an incident?

The period of full recovery after a Globeimposter attack is shorter than in other ransomware cases. This is due to the automated TOR site used for both the payment of ransom and the delivery of the decryption tool.

How do I understand that I have been victim of Globeimposter?

There are some signs that you have been victim of GlobeImposter 2.0 ransomware:

  • The most common case is to get a message about encrypting your data, on the basis of which you will have to pay ransom in bitcoin to recover your files.
  • Hard disk appears to process data without pause
  • File names and/or extensions change to .crypt .PSCrypt .PPTX .satana .niceweekend .horriblemorning etc.
  • Desktop seems to have changed.
  • Antivirus is deactivated and cannot be started
  • CPU is used 100% even if you don’t use applications.
  • Your computer is extremely slow in new commands.

The most common methods of attacking

The most common methods of attacking are phising mails and unprotected RDP (Remote Desktop Protocol).

Indeed, hackers attack via an unprotected RDP port, or phising mails. By phishing they redirect the endpoint user to a dangerous website or mislead him to download malicious attachments. In this way, Globeimposter attackers try to exploit the vulnerabilities of an organization to invade the network and contaminate it.

In particular, attackers follow the spam method with an empty message accompanied only by a zip file. This method increases the curiosity of endpoint user, who may eventually fall into the trap and choose to decompress the zip file. In this way the attacker effectively manages to make the user perform the ransomware file without his knowledge. Another common way of contamination is to use torrent websites to receive pirated software and films.

How does Globeimposter 2.0 work?

In general, all variants of Globeimposter follow a basic pattern of behavior.

GlobeImposter is acting silently in the background during the encryption phase, without the user realizing that there is a risk of infection.

It also very often prevents the execution of Antivirus programs and other Microsoft Windows security parameters. Moreover, Ransom.Cryptomix  may display a warning message after the process of encryption. In particular, GlobeImposter 2.0 encrypts files with algorithm AES-256 bit.

More specifically, the payload is copied to all available parts and clears default RDP settings, including cacked hostnames from the remote desktop connection application. The payload then produces 2048-RSA encryption keys and controls with a “command and control” server to create a unique user identity attributed to the victim’s device. Before encrypting files, the taskkill.exe process ends several functions, such as “sql,” “outlook,” “sssm,” postgre, “” 1c, “” excel “and” wor “, in order to improve the encryption rate.

Finally, after completing the encryption process, a ransomware note is created in encrypted folders, requiring payment in bitcoin. Several times this note contains:

  •  A threat that ransom will double every 48 hours
  • The unique identity produced during the deployment phases of ransomware.

Ransomware note types

Globeimposter ransomware attackers usually leave a visible announcement, which is easy to find. This note also includes info about how to communicate with the attacker. It usually has the following title: “how_to_back_files.html”

.hta Notice

The most common note is a simple phrase, informing the victim that his files have been encrypted and that a decryption tool is needed to retrieve them. In addition, attackers provide more instructions concerning bitcoin webpages that are useful for the victim in case he pays the ransom. Furthermore, attackers ask for a screenshot of payment and provide the victim an e-mail address to send it.

HTML file

In general, Global Imposter 2.0 attackers usually leave a HTML file named: “how_to_back_files.html”, which contains all the information needed to communicate with hackers and retrieve your files. There is also the case that the same file is stored as a .txt. file.

The ransomware note can also be HTML. In this case there is an obvious message like “YOUR FILES ARE ENCRYPTED! Don’t worry, you can return all your files!…». Indeed, the victim is informed that this is a very powerful encryption and that the only method of recovery is through the purchase of the necessary decryption tool. Afterwards, attackers recommend  the creation of an email account in the protonmail.com or cock.li in order to enable communication. Then, hacker asks for an email from the new address in order to identify the victim and send further instructions concerning files’ decryption.

No Ransom Note At All

Sometimes attackers may not leave any note at all and there is a file that contains hacker email: “file name.[ext].crypted_bizarrio@pay4me_in”.

Ransomware file extensions

Extensions of files depend on the Globeimposter variant. However, the most common extensions are: .bad; .BAG; .FIX; .FIXI; .legally;n .keepcalm; .pizdec; .virginlock[byd@india.com]SON;.[xalienx@india.com]; .725; .ocean; .rose; .GOTHAM; .HAPP; .write_me_[btc2017@india.com]; .726; .490; n.skunk.

Can I unlock files encrypted by Globeimposter?

The most common procedure is to pay the ransom and then receive a decryption tool. Using the decryption key the victim can manually decrypt files. Although no one can guarantee that by paying the ransom you will receive the decryption tool,  Globeimposter attackers used to be reliable.

However, in case the victim does not receive the decryption key, this means that there is a high danger for his data. Indeed, attackers may use organisation’s data either for sale on the black market or in order to create a user profile for new fraud.

Therefore, a consistent investment in cybersecurity is the best antidote to prevent future attacks.

Advice in case you are a victim of GlobeImposter 2.0 Ransomware

If you are a victim of Globeimposter, you should act immediately. In particular, you should turn off your computer or server correctly and you should disconnect all devices immediately. You must also disconnect storage devices or online coud storages.

Under no circumstances should you negotiate or try to get rid of Globeimposter on your own. Contact Tictac experts, who possess available knowledge and experience to help you to fully retrieve your files. It is yndeniable that a professional response to ransomware can significantly reduce downtime. Tictac keeps records of various hacker groups in order to maximise the security and effectiveness of the negotiations. Moreover, as experts in the field of responding to ransomware incidents, we always improve industry’s best practices for data retrieval.

How can I prevent Globeimposter and other Ransomware attacks?

  • The most effective means of protection is to keep backup. That’s why the attackers are trying to identify and encrypt backups to make their attack more successful. In particular, the ideal backup is what is not connected to the corporate network. It is also important to have a regular reserve timetable with strong security procedures.
  • Equally important is the establishment of a next generation antivirus. In particular, this combines classical antiviral but also strong ransomware protection, detection and response.
  • A Next Generation Protection Firewall should also be installed accordingly. Such a firewall is also called a Single Threat Management Wall. It adds a level of security to each entry and exit point of your company’s data communication. It combines classical network security with invasion detection, invasion prevention, gate antiviral, e-mail filter, and many other features.

Since the attacker monitors the network long before the attack, you could establish a special  traffic monitoring service for your network.

Fortunately, the majority of antivirus products and the built-in Windows application against malware, Windows Defender, have been updated to track down Global Impostervariants and block malware. Although some antiviral products could not detect a variety of early GlobeImposter strains, this has now been resolved.

Furthermore, all servers need to adapt to the latest security levels. Appropriate and regular update ensures that your version of Microsoft Windows is protected from the latest known weaknesses.

Are there any decryption tools?

Although previous versions of Globeimposter have been decrypted, there is no relevant decryption tool for the latest V2.

What the victim can do is clean up his system. Indeed, GlobeImposter creates multiple Windows registry entries, creates hidden executable files, and sometimes opens a back door to protective walls for further access. Therefore, with the same logic, the victim should clear the Windows register, scan malware and perhaps manually remove GlobeImposter. Depending on the system environment, it is sometimes safer and faster to restore the operating system.

Contact Tictac in order to negotiate with the hackers, as communicating with them is difficult and you undoubtedly need the help of an experienced professional. To help you, you have to submit an encrypted file as a sample and provide us with information about the ransom note. We will then plan a meeting in order to:

  • Identify the seriousness of the attack
  • Decide whether the organisation can remain operational,
  • Provide you the timetable and cost of recovery.

In any case, an authorised representative of your company should contact Tictac.

Finally, you should be extremely sceptical about any data retrieval company that claims to be able to decrypt ransomware. They usually just pay the cyber-criminal without informing you and earn the difference between the amount of ransom and the amount they will charge you.