Bitcoin Ransomware Education: GlobeImposter

Computer users the world over now have a new type of crypto ransomware with which to contend. GlobeImposter is a malware type spotted in the wild quite some time ago. However, compared with other types of ransomware, it has not made much of an impact until now. That may change very soon, as a new malvertising campaign has begun actively distributing this payload. 

GlobeImposter Ransomware Is a Pain in the Neck

With so many different types of Bitcoin ransomware to deal with these days, it is virtually impossible to distinguish one threat from another. Victims of the Blank Slate malspam campaign will likely not have even noticed that the group behind the project has changed the ransomware they are distributing. Until a few weeks ago, the campaign mainly distributed a BTCWare ransomware variant going by the name of Aleta. Now, it is actively distributing GlobeImposter payloads.

It is unclear why this change occurred so suddenly, although it probably had to do with the BTCWare master decryption key being released several weeks ago. Like any good entrepreneur, cybercriminals have to keep up with new trends and seize any opportunities that may come their way. GlobeImposter ransomware seems to have been a more desirable payload to distribute compared to Aleta. Regardless of the ideology behind the change, the Blank Slate malspam campaign continues to harass Internet users all over the world without any sign of slowing down.

Some may wonder why this particular malspam campaign is known as Blank Slate. That is not hard to explain, since the emails sent out to users all over the world contain neither a subject nor a body. All users see is an email from an unknown email address contains a .ZIP attachment. Inside this archive is another .ZIP file containing a JavaScript. Executing this script will trigger the GlobeImposter payload download. To help stear clear of malware, never open email attachments from an unknown sender!

The GlobeImposter payload is hosted across multiple platforms. So far, two designated download locations have been identified, although it is certainly possible additional “mirrors” will be created over time. The malicious JavaScript file is pretty straightforward.  Both download locations are obfuscated, but it may be possible to reveal their locations eventually. For now, it is unclear whether or not these servers are hosted on the darknet.

Once a user is infected with the GlobeImposter ransomware, he or she will observe files getting encrypted pretty quickly. That is the trend across all properly developed ransomware strains. The encrypted files will receive the .crypt file extension and require a decryption key to be restored to their original formats. Doing so is much more difficult than some people may think, and there is no free way to decrypt any version of GlobeImposter ransomware at the present time.

Victims are then asked to contact a specific email address and await further instructions. It is unclear how much money has to be paid to get rid of GlobeImposter. That amount may vary depending on the number of files that were encrypted. This is another example of ransomware developers moving away from using centralized command & control servers. This will be making it a lot harder to track down the culprit responsible for this malware.