GlobeImposter Ransomware Campaign Growing and Impacting the US

Over the past month, Malware-Traffic-Analysis.net and ID Ransomware have seen indications of an increasing amount of GlobeImposter ransomware infections based on samples submitted to both websites. Michael Gillespie, security researcher and creator of ID Ransomware, posted on his Twitter account that this ransomware campaign appears to be impacting victims in both the US and the EU. According to Gillespie, the threat actors were initially compromising Remote Desktop Protocol (RDP) to infect victims, but they have since shifted to using malicious email campaigns to spread the variant. Malware-Traffic-Analysis.net confirms this claim and provides indicators of compromise of several recent GlobeImposter email campaigns. The NJCCIC recommends all organizations implement a robust data backup and restoration plan, which mitigates the risk of data loss resulting from a ransomware infection. Backups should be scheduled as frequently as possible, tested regularly, and stored off the network in a separate and secure location. To mitigate the risk posed by GlobeImposter and other ransomware variants that exploit RDP, organizations should restrict or completely disable unnecessary remote access options. If RDP is necessary, implement a two-factor authentication solution to prevent brute force attempts against login credentials. To mitigate the risk posed by malicious email campaigns, organizations should educate staff regularly about social engineering tactics and implement an email security gateway to monitor and filter incoming and outgoing communications to help prevent malicious emails from reaching end users.