This week, we took a deeper look at Globeimposter ransomware. Let’s start off with a quick look at how CryptoDrop fared against it:
Unsurprisingly, we were able to stop Globeimposter the first time we saw it (just like every other sample we have ever tested). In our experiments, this ransomware was able to encrypt 9 files before CryptoDrop intervened, and we were easily able to get them all back in seconds with Fast Recovery.
Source and Background
Like Scarab before it, Globeimposter is being distributed by the Necurs botnet. If you’re not familiar with Necurs, this is a fairly large botnet that has been the source of signifiant malicious behavior since at least 2012. Between spam and a long history of ransomware, you don’t want to receive anything this botnet might be sending out. IBM has a nice write-up about its history here.
Globeimposter has been seen during 2017, but new variants are popping up regularly throughout the final months of the year. As such, while traditional anti-virus engines may protect you from the previous variants, they may not yet have seen yesterday’s or today’s samples.
Globeimposter is different than the other strains of ransomware we have discussed so far on the blog. Previous strains have all required a network connection, with most connecting over Tor to a hidden service (a.k.a. “The Dark Web”). The Globeimposter samples we analyzed had no network behavior.
Why is that important? Many available ransomware solutions rely on identifying malicious traffic and dropping it, generally causing the ransomware to stop its operation. Globeimposter easily circumvents such defenses. When the attack completes, victims are provided a “Personal ID” that they must include in their email to the attackers. That ID is then used by the attackers to regenerate the AES-256 key used to encrypt the victim’s data.
Victims also receive the above ransom message, which includes instructions on how to contact the attackers. So what’s different here? The attackers have established a private email account with the service ProtonMail. ProtonMail bills itself as a secure and private alternative to Gmail and other traditional services. Located in Switzerland (intentionally outside of US and EU jurisdiction, and allegedly “underneath 1000 meters of solid rock”), legal requests against accounts at ProtonMail must pass through the Swiss court system. Account holders targeted by such requests are alerted and may appeal, thereby delaying any action.
The take-away here is that bad actors may be able to use ProtonMail for long periods of time before legal takedown methods can be applied. In short, you can expect this campaign to run for quite some time.
There is some irony in ProtonMail playing unwitting host to the Globeimposter ransomware campaign. In 2015, ProtonMail was hit by a massive distributed denial of service (DDoS) attack by a group known as the “Armada Collective”. ProtonMail ended up paying the ransom of 15 Bitcoins (worth approximately $6,000 at the time, and over $250k today). The bad news? The DDoS attack didn’t stop after the ransom was paid.
That should serve as a useful reminder when it comes to ransomware: If your strategy incude is paying the ransom, you will not necessarily get your data back.
We’d rank Globeimposter as one of the more sophisticated pieces of ransomware we’ve analyzed. The fact that variants keep appearing and that Globeimposter is being pumped out by the Necurs botnet means that this ransomware is likely being regularly updated and maintained. That means that you should expect to see future variants ending up in your inbox or download folder.
Want to stop this and all other variants of Globeimposter? Give CryptoDrop a try. Think of us as your first line of defense against this increasingly nasty and common strain of ransomware. Installing our Free or Fast Recovery editions today could eliminate the massive headache and cost associated with recovering from a ransomware attack.
At CryptoDrop, We Stop Ransomware!