Alert: New Globelmposter 3.0 Variant Compromises Hospitals

Sangfor Elsa Posted 30 Aug 2018 10:13

Last edited by Sangfor Elsa 30 Aug 2018 10:15.

Every 4.2 seconds a new malware specimen emerges to threaten the safety and security of your business. The Sangfor security team, dedicated to keeping you informed of any new potentially dangerous variants, recently discovered that the ransomware Globelmposter has been updated to version 3.0. This comes close on the heels of last week’s notice of a new Globelmposter 2.0 variant. Globalmposter 3.0 infects systems and encrypts database files, appending encrypted files with .Ox4444 and requiring victims to contact hackers through email to negotiate ransom and get the decryption key.

With several large Chinese hospitals experiencing recent attacks, Sangfor reminds customers to be wary of GlobeImposter and all its variants.

Virus Name: GlobeImposter 3.0 variant

Type: Ransomware

Impacts: Several hospital networks have been compromised.

Threat Level: High

Description: The latest variant, GlobeImposter 3.0, uses the file extension .Ox4444.

Disk Types: Globelmposter 3.0 targets removable disks, hard disks and cloud disks.

Recent attacks perpetrated by the Globelmposter 3.0 variant adopts an RSA+AES algorithm with a file extension of Ox4444. As of now, no decryption tools have been developed to decrypt the encrypted files with the appended file extension of Ox4444.

Just as with the previous Globelmposter variants 1.0 and 2.0, Globelmposter 3.0 ransomware drops a .txt file entitled, "HOW_TO_BACK_FILES" in the corresponding directory with the victim ID and contact information of hacker contained in the file.



A large number of users have been attacked by GlobeImposter 3.0 variants recently. At the time of this writing there is no decryption tool for those victims. You may only quarantine infected hosts and disconnect them from network.

Sangfor recommends you perform a virus scan as soon as possible.

Detection and Removal

Sangfor offers customers and users free anti-malware software to scan for and remove the ransomware virus. Simply download from


1. Fix the vulnerability by installing the corresponding patch on the host.

2. Back up critical data files regularly to other hosts or storage devices.

3. Change and strengthen your computer password and do not use the same password for different computers to avoid compromising a series of computers.

4. Disable RDP if RDP is unnecessary for your business. When a computer is attacked, Sangfor NGAF recommends blocking port 3389 and other ports to stop ransomware from spreading.

5. Perform security scan and virus removal on the whole network and enhance network security.


Consultancy and Services

Contact us by any of the following means to gain consultancy and support services for free.

1. Call Sangfor at +60 12711 7129 (7511)
2. Follow Sangfor Tech Support public account on WeChat.
3. Access Sangfor Community to chat with Sangfor technician.
4. For more information on identification and mitigation of all Globalmposter variants, please visit our previous article:

Like this topic? Like it or reward the author.

Creating a topic earns you 5 coins. A featured or excellent topic earns you more coins. What is Coin?

Enter your mobile phone number and company name for better service. Go

Relevant topics

Rickysut Lv3Posted 24 Apr 2019 18:04
Thank You for sharing
ChrisB Lv2Posted 14 May 2020 18:23
Noted on the alert.