Globe Imposter Ransomware
Posted: January 3, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
Threat Level: | 10/10 |
---|---|
Infected PCs: | 3,553 |
First Seen: | January 3, 2017 |
---|---|
Last Seen: | November 14, 2020 |
OS(es) Affected: | Windows |
The Globe Imposter Ransomware is an imitation of the Globe Ransomware that, like the Trojan it copies, can encrypt your files to block them from opening and create pop-up messages asking for ransom money. Currently, this Trojan's files are decryptable without charge through third parties. In other circumstances, malware experts recommend that you keep backups and use your anti-malware programs to block the Globe Imposter Ransomware from enciphering any content in the first place.
Decoding the Reasons for Fake Branding on Real Trojans
Genuine variations of past Trojans like the Cerber Ransomware or the Crysis Ransomware are a major part of the harmful software marketplace, but imitators also are a significant minority. Con artists using brand names of other campaigns can benefit from their notoriety and even impede recovery solutions meant for a specific threat. For now, readers could look at the Globe Imposter Ransomware, a threat with verifiable samples appearing in the last month of 2016.
The Globe Imposter Ransomware mimics the encryption and ransoming strategies of the Globe Ransomware family. Although both Trojans include similar symptoms, the Globe Imposter Ransomware uses a different encryption method from the group it imitates to block your\ files. It uses a small list of under forty extensions for the target selection, including DOC, PDF, JPEG, and WAV, and appends the '.crypt' extension to the end of each of their names.
After finishing the encryption, the Globe Imposter Ransomware launches the 'HOW_OPEN_FILES' HTA pop-up. The threat actor designs the interactive ransom message to resemble the Globe Ransomware messages and includes payment instructions for transferring the Bitcoin cryptocurrency to the con artist's wallet. In particular, warnings by malware analysts outline the fact that this Trojan uses an entirely separate algorithm from the Trojan that it's pretending to be, meaning that any victims using the wrong decryption tools can damage any encrypted content beyond the possibility of recovery permanently.
Stopping the Spin on the Globe Imposter Ransomware
Despite the Globe Imposter Ransomware's attempts at misdirection, some entities in the cyber security industry are decrypting current versions of this threat successfully. Using free decryption tools customized to the Globe Imposter Ransomware (which uses the AES encryption, rather than the Globe Ransomware's Blowfish cipher) can help victims recover their files without paying the Bitcoin amount. Otherwise, backups also are routinely recommended as a standardized and foolproof way of preventing your PC's contents from being vulnerable to file-encrypting threats.
Malware analysts can isolate current infection vectors for the Globe Imposter Ransomware within English and Russian-speaking regions of the world. The Trojan may install itself through e-mail attachments, mislabeled torrents or website-based drive-by-downloads. Modern anti-malware products encompass various forms of threat detection against most of these vectors, letting you delete the Globe Imposter Ransomware before any file-targeted attacks are viable.
In all but the most outlandish of situations statistically, trusting a con artist who's attacking your PC for money is a poor idea. In fact, as the Globe Imposter Ransomware demonstrates, it even can be an avenue into causing more harm to your computer than the original Trojan does.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SYSTEMDRIVE%\Users\<username>\AppData\Local\9YDR22L4OM.exe
File name: 9YDR22L4OM.exeSize: 417.28 KB (417280 bytes)
MD5: d6c7bbffa256e952070a2cd84bfea821
Detection count: 979
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\9YDR22L4OM.exe
Group: Malware file
Last Updated: June 26, 2020
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.