Written By: SecureLink Cyber Defence Center
A new strain of GlobeImposter Ransomware has been seen and it is most likely distributed through emails. Malicious code is compressed into a zip archive and sent to the end-user. Once the code is executed, the malicious payload will be collected from a variety of different domains, and it will start encrypting files on the victim’s endpoint. Logs and Windows restore points will be deleted, which makes a restoration attempt much more difficult. Once the files have been encrypted, the victim is asked to pay a ransom fee of 0.3 bitcoins, which is around $1000 to retrieve the encryption key. The ransom fee must be paid within 48 hours or the ransom fee will get doubled.
A simple .bat script is built from the payload used to clean up the machine before and after the encryption is started. RDP history, Windows shadow copies, and logs will be removed from the infected endpoint. The extension ”.726” is added to all the encrypted files and ”RECOVER-FILES-726.html”, which is a help document on how to decrypt your files, and will be placed in all the directories with encrypted files. The user is given 48 hours to pay the ransom consisting of 0.3 bitcoins, which are around $1000. If the ransom is not paid within the 48 hours, the fee will be doubled. The victim could send one file for decryption to the criminals to verify that the decryption works.
Indicators of Compromise
The following indicators of compromise (IOC) have been identified in this campaign.
- 85.235.131[.]55 HTTP 309 GET/hg65fyJHG??sJBLmSYWLW=sJBLmSYWLW
- 185.81.1[.]156 HTTP 288 GET/hg65fyJHG??JnqxSiUgE=JnqxSiUgE
- 91.214.114[.]209 HTTP 295 GET /af/hg65fyJHG?JnqxSiUgE=JnqxSiUgE
The payload domains will most likely not be active very long but should be blocked immediately to avoid infection. Compressed files/java scripts should not be allowed to be sent to end users within the organization, which could be controlled by the exchange server.