Globeimposter Ransomware – CryptoDrop’s Analysis

This week, we took a deeper look at Globeimposter ransomware. Let’s start off with a quick look at how CryptoDrop fared against it:

Globeimposter Ransomware
Globeimposter Ransomware

Unsurprisingly, we were able to stop Globeimposter the first time we saw it (just like every other sample we have ever tested). In our experiments, this ransomware was able to encrypt 9 files before CryptoDrop intervened, and we were easily able to get them all back in seconds with Fast Recovery.

Source and Background

Like Scarab before it, Globeimposter is being distributed by the Necurs botnet. If you’re not familiar with Necurs, this is a fairly large botnet that has been the source of signifiant malicious behavior since at least 2012. Between spam and a long history of ransomware, you don’t want to receive anything this botnet might be sending out. IBM has a nice write-up about its history here.

Globeimposter has been seen during 2017, but new variants are popping up regularly throughout the final months of the year. As such, while traditional anti-virus engines may protect you from the previous variants, they may not yet have seen yesterday’s or today’s samples.

Technical Details

Globeimposter is different than the other strains of ransomware we have discussed so far on the blog. Previous strains have all required a network connection, with most connecting over Tor to a hidden service (a.k.a. “The Dark Web”). The Globeimposter samples we analyzed had no network behavior.

Personal ID generated by Globeimposter (intentionally obscured). Victims must provide this code to the attackers in order to get their data back.

Why is that important? Many available ransomware solutions rely on identifying malicious traffic and dropping it, generally causing the ransomware to stop its operation. Globeimposter easily circumvents such defenses. When the attack completes, victims are provided a “Personal ID” that they must include in their email to the attackers. That ID is then used by the attackers to regenerate the AES-256 key used to encrypt the victim’s data.

Ransom notice from Globeimposter

Victims also receive the above ransom message, which includes instructions on how to contact the attackers. So what’s different here? The attackers have established a private email account with the service ProtonMail. ProtonMail bills itself as a secure and private alternative to Gmail and other traditional services. Located in Switzerland (intentionally outside of US and EU jurisdiction, and allegedly “underneath 1000 meters of solid rock”), legal requests against accounts at ProtonMail must pass through the Swiss court system. Account holders targeted by such requests are alerted and may appeal, thereby delaying any action.

The take-away here is that bad actors may be able to use ProtonMail for long periods of time before legal takedown methods can be applied. In short, you can expect this campaign to run for quite some time.

There is some irony in ProtonMail playing unwitting host to the Globeimposter ransomware campaign. In 2015, ProtonMail was hit by a massive distributed denial of service (DDoS) attack by a group known as the “Armada Collective”. ProtonMail ended up paying the ransom of 15 Bitcoins (worth approximately $6,000 at the time, and over $250k today). The bad news? The DDoS attack didn’t stop after the ransom was paid.

That should serve as a useful reminder when it comes to ransomware: If your strategy incude is paying the ransom, you will not necessarily get your data back.

Final Thoughts

We’d rank Globeimposter as one of the more sophisticated pieces of ransomware we’ve analyzed. The fact that variants keep appearing and that Globeimposter is being pumped out by the Necurs botnet means that this ransomware is likely being regularly updated and maintained. That means that you should expect to see future variants ending up in your inbox or download folder.

Want to stop this and all other variants of Globeimposter? Give CryptoDrop a try. Think of us as your first line of defense against this increasingly nasty and common strain of ransomware. Installing our Free or Fast Recovery editions today could eliminate the massive headache and cost associated with recovering from a ransomware attack.

At CryptoDrop, We Stop Ransomware!


How Does Ransomware Infect Your System?

We’ve had a few questions here at CryptoDrop about how we protect your files once ransomware is on your system. The previous blog entry points to an article that we wrote that talks about this in some detail. But a more important question you might have is, how can ransomware infect my computer in the first place?

We’re going to talk about some of the ways this can happen in this article. Ransomware writers are very crafty and use all sorts of techniques to find their way onto your computer. We’ll consider a few approaches, or “attack vectors” as we call them, now.

Infecting You From A Remote Connection

Some ransomware that we have analyzed tries to make connections with services running on your computer. You typically use your computer to connect to others in order to get information, for example through the Web or email. In some other cases though, you might have software running on your computer that allows others to connect to you. For example, you might have a program running that lets you access your computer’s desktop from your work computer, or you might be running a program such as BitTorrent. You may not even know such programs are running.

Some ransomware finds systems that are advertising these remote services and looking for vulnerabilities in them, so that they can attach to your computer and exploit those vulnerabilities to infect your system. In short, ransomware can get on your system without you doing anything but turning on your machine.

Infection Through Attachments

In other cases, you aren’t presenting any remote services to the outside world, but ransomware still finds its way in. This can happen through malicious attachements in your email. You might open a Microsoft Word file, or a PDF document, that contains malicious data. The act of opening the file can cause scripts to run that allow ransomware embedded within these files to infect your computer.

Sometimes the emails can appear to be very legitimate, looking as through they come from someone you know with personal information about you in order to make them more believable. It only takes the one click on those files to start up the ransomware, no matter how honest the file appears to be.

Infection Through Websites

Just like with email, sometimes malicious code can be downloaded to your computer without you realizing it. You might see a web forum posting disguised as helpful information to download a file, and sometimes the fact that you’re downloading something isn’t even clear in the first place. Once the code is on your computer, the ransomware can begin encrypting your information.

Infection Through Devices

Sometimes the infection might not be because of anything that you accessed from your computer, but can be the result of malware being transmitted from something that you received from someone else, such as a USB flash drive. When you plug in the device, that process can cause the malicious code to run and the ransomware to be installed on your system.

Be careful when using USB devices – attackers have been known to drop them in parking lots outside of targets!

How To Protect Yourself

There are ways to minimize your exposure to malicious code. However, it is often the case that information looks completely legitimate and yet contains ransomware. While it is important to be careful about what gets transmitted and run on your computer, it is very difficult to be right all of the time. Even experts get fooled!

Fortunately with CryptoDrop protecting your system, we provide the layer of defense that will stop a ransomware infection whenever it starts running on your machine. We have tested our software against huge numbers of ransomware variants and have never failed to stop them quickly. With our Fast Recovery Edition, we can roll back any changes that ransomware might have made to your files, ensuring that none of your data is lost.

We know how hard it is to defend against all of these threats, so let CryptoDrop be your protection, because at CryptoDrop, We Stop Ransomware.


Soaring Bitcoin and Its Impact on Ransomware

Just about everyone has heard about the soaring price of Bitcoin. The value of this cryptocurrency has risen over 1500% in 2017 (nearly tripling in the last month alone), and its growth shows little hint of slowing.

We’re not taking a position on the value or utility of  any cryptocurrency. Ultimately, the market will decide if Bitcoin will continue to grow as decentralized and un-censorable platform or simply fade away rapidly if/when the bubble pops. That said, we think you have reason to care.

Bitcoin and Ransomware

Like it or not, Bitcoin matters to you today for one main reason: ransomware. It’s the favorite payment platform of ransomware authors because it’s pseudo-anonymous (there are lots of ways to determine identities affiliated with Bitcoin wallets, but we leave that discussion to another day). Unlike traditional payment methods, Bitcoin is also difficult to block. While law enforcement and traditional financial institutions long worked together to stop payments to criminal operations, such cooperation has had little success in the cryptocurrency ecosystem.

Bitcoin is not the only cryptocurrency ever used by ransomware. CryptoLocker used LiteCoin through at least 2015. CradleCore (a “Ransomware-as-a-Service” platform) has built-in support for Ethereum and Monero. There’s no technical reason why any of these “alt-coins” can’t be used for ransom payments.

So why is Bitcoin king of cryptocurrencies for ransomware payments? Two reasons: First, Bitcoin is a brand, just as much as Visa, Mastercard or Western Union. Granted, Bitcoin isn’t owned by any single centralized entity, but ransomware authors benefit from regular people knowing about this particular payment platform. If ransomware victims have faith that Bitcoin is a reliable means of getting funds to their attackers (and ultimately getting their data back), payments are more likely to be made. Second, with the price of Bitcoin skyrocketing, a payment of $1000 today may be worth far more in a month. That means that every Bitcoin paid to the attackers is likely to be worth far more when they eventually decide to cash out. Imagine if your bank account accumulated interest at the same pace as the price of Bitcoin has surged!

The Problem with Success

The skyrocketing price of Bitcoin may not actually be a benefit to the ransomware ecosystem. To understand why, let’s start with a look at the Bitcoin Mempool over the past few days.

Johoe’s Mempool Statistics:

If you’re not familiar, the Mempool is basically the waiting area for Bitcoin transactions. All unconfirmed transactions wait here until a miner decides to include them in a block (which is ultimately included in the public ledger or “blockchain”). All that talk about Bitcoin in the past few days has dramatically increased transaction volume, and the graph above shows between 100k and 225k transactions waiting to be made official.

Is this normal? Let’s take a more historical perspective:

Johoe’s Mempool Statistics:

The three-month view shows us that volume is exceptionally high at the moment; however, there is no reason to believe that we have not reached a new normal. The trend-line continues moving upwards.

Ok, so Bitcoin is being exchanged more often. So what?


This graph shows the average confirmation time for Bitcoin transactions over the past month. The most critical points in this graph are the spikes up around 1,200 minutes. That’s 20 hours. Remember, too, that this is an average, meaning that larger transactions tend to be serviced in the Mempool more quickly, whereas those for just a few hundred dollars (i.e., fractions of a Bitcoin) may languish for much longer.

That is one busted clock… goodbye, decryption keys…

Most ransomware has a hard deadline of 24 hours before the bad guys delete the decryption keys. That means that even if you are sitting at your computer when the attack happens and immediately decide to pay the ransom, you may not be able to pay the attackers in time to get your data back. Hesitation essentially ensures that your transaction won’t be confirmed before the deadline. While many things paid for in cryptocurrencies don’t necessarily need to be settled immediately, the ticking clock that is ransomware puts pressure on the need for near-to-real-time transactions.

Disruption in the payment ecosystem means there’s in increased risk of disruption in the ransomware ecosystem.

What Can We Expect?

The only constant here is change. At the moment, ransomware authors have three main options:

  1. Extended Deadlines: It’s possible that ransomware authors collectively decide to give their victims 48 hours instead. However, if Bitcoin continues to grow in popularity as we have seen over the past year, transaction throughput will easily become a choke-point again. We think this approach is plausible but unlikely because extended time decreases the “impulse effect”. That is, victims are potentially less likely to pay the ransom because they have time to think about their decision (and potentially find copies of some of their data).
  2. Switching to Alt-Coins: Alternatively, ransomware authors could start using alt-coins (e.g., LiteCoin, Ethereum, Zcash, etc). This response is also risky, given the loss of both the surging price (although some others are also increasing) and loss of brand recognition.
  3. Raising Ransoms (via transaction fees): Finally, ransomware authors may simply raise their prices (if only via telling victims to pay transaction fees at an increasingly high rate) to ensure that their transactions are chosen more quickly in the Mempool. The risk here is that paying the ransom becomes entirely unreasonable in the eyes of victims, reducing the overall payout received by the bad guys.

We certainly don’t expect ransomware authors to quit simply because of volatility in their preferred payment platform. We also want to remind you that even when payments are handled swiftly that there paying a ransom provides no guarantee of getting your files back. However, we’ll be watching to see how they react.

Final Thoughts

Regardless of your opinions on the long-term success of cryptocurrencies, you have to pay attention to this space. Payment platforms are tremendous influencers of traditional businesses – think about how few people in the United States go into gas stations since the near universal deployment of pay-at-the-pump. There’s no reason to believe that cryptocurrencies won’t continue to impact how ransomware authors operate.

The best way to ensure that the rapidly fluctuating Bitcoin ecosystem doesn’t impact your decision or ability to pay ransom is to take steps to never have to pay it. Protect your data. Grab a free copy of CryptoDrop today, and consider using our Fast Recovery Edition to get your files back in seconds.

We Stop Ransomware


LockCrypt and the Attack on Mecklenburg County, NC

Some of you have heard about yesterday’s ransomware attack in Mecklenburg County, North Carolina (a municipality in the Southeastern United States). LockCrypt, a variant that is believed to have evolved out of the Satan ransomware, is responsible. You can read a more in the headlines here (International Business Times) and here (USA Today), but the attackers are demanding 2 Bitcoins for the files to be decrypted (which is approximately $26,000 at the time of this article). County administrators have not yet ruled out paying the ransom.

So why is this one worth writing about? LockCrypt is nasty, and quite sophisticated. This one is likely to continue doing damage for quite some time to come.

Let’s cover the standard set of technical details first. LockCrypt creates a unique AES-256 encryption/decryption key for every victim. This key is tracked by assigning a unique ID number. That means that even if you or a colleague pay to decrypt files on one machine, you can’t use those keys to decrypt files on another machine. Early strains of ransomware often did not take this step, which is how the community was able to make so many decryptors early on. The bad news here is that if find your files encrypted by LockCrypt, you’re unlikely to be able to get help cracking that encryption.

How do you get your files back if you pay? LockCrypt sends the AES-256 key associated with your ID to a server. If you decide to pay the ransom, you provide the ID and the attackers will allegedly give you back the right key and a means of using it (a “decryptor” program). Based on the IP address, the server appears to be located in Tehran, Iran; however, as we always caution our readers, that does not necessarily mean that the attackers are located there. Instead, they may simply have attacked and compromised a machine in that location, making it very difficult to determine who and where they actually are.

LockCrypt appears to spread largely via the Remote Desktop Protocol (RDP), which means that if you have one machine that is vulnerable, you likely have many. The attackers behind LockCrypt appear to be attempting to “brute force” their way into machines, which is just a technical term for “scan the entire Internet and see which unprotected machines let them execute their ransomware”. However, USA Today claims that this particular infection arrived via email, and a single user opening this malicious attachment appears to have been enough for LockCrypt to spread throughout the entire organization (~50 machines appear to have been infected).

LockCrypt is Nasty

All of this is bad enough, but it’s what comes next makes LockCrypt really nasty. LockCrypt attempts to attack your defenses. Running anti-virus software? LockCrypt tries to kill it. Only after LockCrypt has gutted your defenses does it try to encrypt your files. Here’s a copy of the ransom note victims receive (with the ID changed):

LockCrypt Ransom Note

Ok – so how did CryptoDrop fare against LockCrypt? Not a single file was encrypted. Why? While LockCrypt attempts to kill lots of non-Windows processes, we built extra defenses into CryptoDrop to make it difficult to turn off our software. While we did this in the early phases of our design process, it was done precisely for days like this. Even with administrative access, LockCrypt simply does nothing to your files if CryptoDrop is installed.

Task Manager

County operations in Mecklenburg, North Carolina are likely to be severely disrupted over the coming days. Even if the county managed not to lose any data, the cost of rebuilding their infrastructure will be significant in both time and dollars. What city or business has the time and resources to drop all of there regular tasks for an unplanned rebuilding their IT infrastructure?

It’s not enough to hope that the bad guys won’t hit you – LockCrypto is out there actively scanning for you. And it’s not the only one. The bad guys are writing increasingly sophisticated ransomware, and protecting yourself before they hit is absolutely critical.

CryptoDrop has stopped every sample of ransomware we’ve ever seen, and done so on the first time we’ve seen it. Our patent-pending approach is fundamentally different than what traditional anti-virus software provides. Best of all, you can try it for free. Help protect your data, and help our start-up bring game changing technology to the fight against ransomware.

We’re CryptoDrop. We Stop Ransomware.



Halloware – A Deeper Dive

A new strain of ransomware popped up over the weekend: Halloware. We’ve been watching it for a few days to give you the scoop on what it does and how it operates. Let’s get to the most important point quickly:

CryptoDrop stopped this one the first time we saw it, just like we have every piece of ransomware we’ve ever seen. Halloware was able to encrypt 13 files before we stop it, but our Fast Recovery edition restores them in under one second.

Now let’s talk details. Halloware is a little different in that it is basically “ransomware as a service”. For $40, the author (“Luc1F3R”) will provide you with your own ransomware that allows you to [sic] “Create Your Own Ransomware Without Any Knowledge About Coding”. It also claims to “Bypass Every Anti Virus”, but it was certainly no match for CryptoDrop.


Halloware attempts to make a network connection to a server located in Utah. It’s extremely unlikely that the author of this particular piece of ransomware is actually located in the United States – Bleeping Computer guesses that Luc1F3R is likely based in India based on his/her GitHub account information. While this site had more content a few days ago, it appears to be dead now. However, before that happened, we were able to get to the next step of the ransom process.

Unsurprisingly, Halloware attempts to direct victims to a Tor Hidden Service (a.k.a. the “dark web”) to recover their files. The price of getting the decryption key is $150, and the attacker wants that payment in Bitcoin.

The image above is fairly informative about the quality of this particular piece of ransomware: from the missing image to the broken payment link, this is not a well put-together operation. In fact, there’s probably a reason that Luc1F3R is only selling copies for $40 – Halloware crashes frequently.

At the time we put this article together, it doesn’t actually appear to be possible to get your data back from this campaign. The ransom message no longer appears on any of the systems we tested. That means without CryptoDrop, you might be completely out of luck.

We don’t want to help the authors of this ransomware with any tips, but it appears as if our testing was far more extensive than theirs. Halloware can certainly encrypt files on many systems, but its stability varies greatly. Just like the website hints to, it is unlikely that these folks are professional software engineers. That doesn’t mean that it won’t get better with time or that you shouldn’t protect yourself now.

Time will tell if Halloware becomes a real threat. But there’s no need to wait and see – CryptoDrop stops Halloware without any issue. We’ve stopped WannaCry, Scarab, Cerber, and the list goes on and on.

Give us a shot – before the Halloware team gets their act together.

Join us – We Stop Ransomware


Making sense of the ransomware mess (and planning a sensible path forward)

If you ever needed proof that traditional antivirus was no match for ransomware, look no further than WannaCry.

IEEE article

We wrote an article for IEEE Potentials Magazine about ransomware, and why traditional techniques often fail to stop its spread. Learn more about how traditional anti-virus works, why backups alone aren’t a silver bullet and what you can do to stop its spread.

Read the article

Things We’re Not Thankful For: The Return of Scarab

Happy (Day After) Thanksgiving, Everyone! No rest for the folks at CryptoDrop, especially when hackers aren’t taking a day off, either.

Multiple websites (including ours) are reporting a resurgence by Scarab ransomware. This most recent campaign seems to be largely driven by the Necurs botnet, which is delivering Scarab to unsuspecting users via an aggressive spam campaign.

Let’s start with some good news for our users. We grabbed a sample of Scarab and placed it on a machine running CryptoDrop. This is highly aggressive ransomware, spawning multiple processes and automatically running. No problem for us though – CryptoDrop detected and stopped Scarab before it could encrypt a single file.

Scarab detected by CryptoDrop

The ransomware  created a threatening text file on our desktop, informing us that our files had been encrypted. However, they didn’t manage to actually delete any files before doing that, making the threat entirely empty. Thanks, guys – we have no intention in paying you.

Here’s why this is all so important – CryptoDrop doesn’t require a signature like traditional anti-virus products. Our techniques were able to stop Scarab the first time that we saw it. This is why we are different.

One last piece of insight – Scarab reaches out to a command and control infrastructure, basically to let them know that infection has happened. We watched these messages be exchanged with a machine located in southern Germany. That doesn’t mean that the campaign is German, but much more likely that a machine located there was compromised by a botnet and used to make it difficult to track down the real attackers.

That’s a good reminder for everyone that attackers don’t need to be close by – your machine can be reached by the bad guys, wherever they happen to be.

Want to stop Scarab and every other piece of ransomware that happens to come along? Download CryptoDrop today for free, and consider trying our Fast Recovery Edition! We Stop Ransomware.


Why You Should Trust CryptoDrop – The Importance of External Validation

CryptoDrop offers best-in-class protection against ransomware and because of its unique, patent-pending design, detects threats to your data and recovers your important files in ways that assure your precious information stays safe. This is a bold claim to make, and you may be asking yourself Why should I believe CryptoDrop is as robust as you say? and How do I know CryptoDrop is safe to use?

In this article, we are going to discuss what we’ve done to try to earn your trust in three ways: the open peer review of the research that went into CryptoDrop, the authenticity of CryptoDrop as an organization as recognized by Microsoft, and the independent evaluation of CryptoDrop. We’ll also talk about why it is important to have all of these external markers of validation and what they mean for you as a user.

Trust Fall

CryptoDrop Comes From Peer-Reviewed Research

What makes CryptoDrop unique from all other ransomware solutions is that it comes out of world-leading research performed at the University of Florida. The ideas behind CryptoDrop were vetted by external peer reviews and selected for publication at the 2016 IEEE International Conference on Distributed Computing Systems (ICDCS). What does this mean? The research was examined by experts in computer systems and security from around the world. This was a double-blind process, meaning that not only are the reviewers anonymous to us as authors, but our identity is also anonymous to the reviewers. The double-blind process ensures that the scientific process is completely fair, as the work is judged solely on its quality, not based on any relationships authors and reviewers might have with each other, and is considered the gold standard of scientific evaluation. Additionally, the ICDCS conference is highly selective, accepting less than 20% of submitted research papers from university and industry research groups around the world. By passing through this extremely rigorous review process, the research behind CryptoDrop has been considered amongst the world’s finest work in distributed computing and declared to be innovative and compelling research by scientific peer review. This is the core of what makes CryptoDrop fundamentally different and uniquely capable of defending against ransomware.

Vetted by Microsoft Authenticode

Doing research is one thing, but turning that research into a commercial product is another process altogether. How can you have confidence in CryptoDrop as a company? Ensuring that you as a user can be confident that we are trustworthy is very important to us. To demonstrate our integrity as a company, we have been approved as a trusted vendor through Microsoft’s Authenticode program. Authenticode provides you with assurance that we at CryptoDrop were the ones who actually created the code that you are running, and that the code has not been altered or tampered with in any way. The CryptoDrop program is digitally signed by DigiCert, a member of the Microsoft Trusted Root Certificate Program. This is your guarantee that the code you run is trustworthy.

Fully Tested Through Independent Evaluation

We wanted to ensure that as users, you have the assurance that CryptoDrop is effective at stopping ransomware. This is why we encourage you to download a copy and try it for yourself. We have also extensively tested the program internally and run two beta programs to ensure that we cover a large range of use cases. We also subjected CryptoDrop to the ransim ransomware simulator by KnowBe4, which generates synthetic samples of ransomware. CryptoDrop easily stopped all of these samples from running and detected their presence quickly.


But we know that as a potential customer, you would want to see what experts in evaluating anti-malware programs would have to say. This is why we reached out to AV-Test, an internationally renowned company based in Germany and known for their expertise in evaluating anti-malware products. Importantly, AV-Test is completely independent: they evaluate the software against their rigorous testing routines and report all results, good or bad, that they find.

We are delighted to report that CryptoDrop performs spectacularly well against all of AV-Test’s routines. To provide full transparency for you, the user and potential customer, we have linked to the AV-Test report about CryptoDrop. The results are excellent: CryptoDrop detects every ransomware sample that AV-Test used, including samples that we had never seen before that are proprietary to them, running in their own environment with independent testers. CryptoDrop detects ransomware fast, in less than 5 seconds in many cases. And with our Fast Recovery feature, every file affected by ransomware could be easily recovered (in the report, the claim is one file failed to recover; this was apparently from a directory not configured to be protected by CryptoDrop). See the results for yourself!

We hope that this guide to the importance of external validation helps to demonstrate why CryptoDrop is the best anti-ransomware solution available on the market and why you can trust us. Please get in touch if you have any questions – we love to talk about how at CryptoDrop, We Stop Ransomware.