Home Malware Programs Rogue Anti-Spyware Programs Globe Imposter Ransomware

Globe Imposter Ransomware

Posted: January 3, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 3,553
First Seen: January 3, 2017
Last Seen: November 14, 2020
OS(es) Affected: Windows

The Globe Imposter Ransomware is an imitation of the Globe Ransomware that, like the Trojan it copies, can encrypt your files to block them from opening and create pop-up messages asking for ransom money. Currently, this Trojan's files are decryptable without charge through third parties. In other circumstances, malware experts recommend that you keep backups and use your anti-malware programs to block the Globe Imposter Ransomware from enciphering any content in the first place.

Decoding the Reasons for Fake Branding on Real Trojans

Genuine variations of past Trojans like the Cerber Ransomware or the Crysis Ransomware are a major part of the harmful software marketplace, but imitators also are a significant minority. Con artists using brand names of other campaigns can benefit from their notoriety and even impede recovery solutions meant for a specific threat. For now, readers could look at the Globe Imposter Ransomware, a threat with verifiable samples appearing in the last month of 2016.

The Globe Imposter Ransomware mimics the encryption and ransoming strategies of the Globe Ransomware family. Although both Trojans include similar symptoms, the Globe Imposter Ransomware uses a different encryption method from the group it imitates to block your\ files. It uses a small list of under forty extensions for the target selection, including DOC, PDF, JPEG, and WAV, and appends the '.crypt' extension to the end of each of their names.

After finishing the encryption, the Globe Imposter Ransomware launches the 'HOW_OPEN_FILES' HTA pop-up. The threat actor designs the interactive ransom message to resemble the Globe Ransomware messages and includes payment instructions for transferring the Bitcoin cryptocurrency to the con artist's wallet. In particular, warnings by malware analysts outline the fact that this Trojan uses an entirely separate algorithm from the Trojan that it's pretending to be, meaning that any victims using the wrong decryption tools can damage any encrypted content beyond the possibility of recovery permanently.

Stopping the Spin on the Globe Imposter Ransomware

Despite the Globe Imposter Ransomware's attempts at misdirection, some entities in the cyber security industry are decrypting current versions of this threat successfully. Using free decryption tools customized to the Globe Imposter Ransomware (which uses the AES encryption, rather than the Globe Ransomware's Blowfish cipher) can help victims recover their files without paying the Bitcoin amount. Otherwise, backups also are routinely recommended as a standardized and foolproof way of preventing your PC's contents from being vulnerable to file-encrypting threats.

Malware analysts can isolate current infection vectors for the Globe Imposter Ransomware within English and Russian-speaking regions of the world. The Trojan may install itself through e-mail attachments, mislabeled torrents or website-based drive-by-downloads. Modern anti-malware products encompass various forms of threat detection against most of these vectors, letting you delete the Globe Imposter Ransomware before any file-targeted attacks are viable.

In all but the most outlandish of situations statistically, trusting a con artist who's attacking your PC for money is a poor idea. In fact, as the Globe Imposter Ransomware demonstrates, it even can be an avenue into causing more harm to your computer than the original Trojan does.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SYSTEMDRIVE%\Users\<username>\AppData\Local\9YDR22L4OM.exe File name: 9YDR22L4OM.exe
Size: 417.28 KB (417280 bytes)
MD5: d6c7bbffa256e952070a2cd84bfea821
Detection count: 979
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\9YDR22L4OM.exe
Group: Malware file
Last Updated: June 26, 2020

Related Posts

Loading...