Alert: Globelmposter Ransomware Break Out Again!
  

Sangfor Elsa Posted 24 Aug 2018 11:16

Last edited by Sangfor Elsa 24 Aug 2018 11:18.

The Sangfor Security Team recently discovered that a number of customers have been subject to an attack from a particular type of ransomware. Research shows that this malicious file is a new variant of the Globelmposter1.0 ransomware.

Globelmposter1.0 ransomware first appeared in May 2017 and spread via phishing emails. Variants were quickly detected and encrypted files were decrypted. February 2018 saw Globelmposter2.0 ransomware attacks breaking out in major hospitals using various attack methods and spread via social engineering, RDP brute-force or bundled malware. Constantly changing file extensions make it particularly difficult to detect, with the earliest encrypted files following the file extensions .TECHNO, .DOC, .CHAK, .FREEMAN and .TRUE and the most recent extensions showing .FREEMAN, ALC0, ALC02, ALC03 and .RESERVE.

The most recent variants of the Globelmposter2.0 ransomware family adopt a RSA 2048 algorithm and thus far have no tools that are capable of decrypting the encrypted files, which are appended with file extension .RESERVE.

1.png

Globelmposter2.0 drops a html file with the name of "how_to_back_files" in the corresponding directory with victim ID and contact information of the hacker contained in the file.

2.png

Sample Analysis

This ransomware is essentially a win32.exe program which was encoded on 3 April 2018.
When victims run the program it self-duplicates to the %LOCALAPPDATA% or %APPDATA% directory and the original file is deleted.

3.jpg
4.0.png

Registry

After the ransomware self-duplicates to the %LOCALAPPDATA% or %APPDATA% directory, it begins to add itself into the registry as:

HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\BrowserUpdateCheck. Subsequently it enables itself to automatically run when the compromised computer starts up or restarts.

4.png

Encrypted Objects
Globelmposter2.0 encrypts 3 types of disks: removable disks, hard disks and cloud disks.

5.jpg

It will bypass some files during the encryption process to ensure the normal running of the compromised system. The following are folders to be encrypted:

6.jpg

Encryption Method

Globelmposter2.0 generates a private key based on a RSA algorithm and encrypts files with a hard-coded public key. After encryption, the ciphertext is converted to ASCII code, which is then written into %PUBLIC% or %ALLUSERSPROFILE% variable paths. The generated private key with ID information appears as follows:

7.png

Globelmposter2.0 encrypts files with a RSA algorithm and a set of 128-bit key pairs are generated randomly by CryptGenRandom. Next, the hard-coded 256-bit public key generates a corresponding private key. Finally, a victim ID is generated and the ransomware encrypts corresponding folders and appends encrypted files with file extensions. The file containing the victim ID will be written to the encrypted folder as shown below:

The ransomware decrypts bat files and stores them in a temporary folder running the following script:

8.jpg

Latent Behaviors

The ransomware decrypts bat files and stores them in a temporary folder running the following script:

9.png

Bat script functions:
1. Delete disk volume shadow
2. Delete information of remote desktop connection
3. Delete logs
Globelmposter2.0 occasionally fails to delete logs due to grammar errors in the script.

10.png

Solutions

1. Change and strengthen your computer password and do not use the same password for different computers to avoid compromising a series of computers.
2. Disable RDP if RDP is unnecessary for your business. When a computer is attacked, Sangfor NGAF recommends blocking port 3389 and other ports to stop ransomware from spreading.
3. Turn on Sangfor NGAF brute-force attack prevention by enabling Rule 11080051, 11080027 and 11080016.
4. For individuals & non-Sangfor NGAF users, Sangfor has developed a new anti-bot tool that can be downloaded by clicking here.

Sangfor Anti-Bot Tool is a malware removal tool that combines local & and cloud removals. This tool has a powerful cloud virus database that can identify most active virus threats on the existing network. It also has a powerful scanning engine for the local machine. Through static analysis of programs and dynamic virtual execution of malicious files, it will clean up the system and make it malware-free.

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Faisal Lv8Posted 27 Dec 2020 08:15
  
Thank you very much for the information ...
Faisal Lv8Posted 27 Dec 2020 08:16
  
Nice article ...
Faisal Lv8Posted 27 Dec 2020 08:17
  
Great info
Fida_Balti Lv4Posted 04 Nov 2021 18:50
  
Great info

Trending Topics

Board Leaders