Spam Campaign Distributing GlobeImposter Ransomware

A new spam campaign is distributing the GlobeImposter ransomware variant via malicious email attachments. The spam email has a subject line beginning with “Emailing: IMG_date_number…” and a 7zip archive attachment. The .7z attachment contains an obfuscated javascript, .js file that, when double-clicked, will download and execute GlobeImposter and begin encrypting the computer’s files. GlobeImposter appends ..doc to the end of encrypted files and creates a ransom note titled “Read___ME.html” in each folder a file is encrypted that provides instructions on contacting the perpetrators and making the ransom payment. The NJCCIC is not currently aware of any decryption tool for the GlobeImposter variant. The NJCCIC recommends users review the BleepingComputer report on this campaign, educate themselves on this and similar phishing and spam tactics, avoid opening unexpected or unsolicited emails and email attachments, use an anti-malware solution, and keep all hardware and software updated. If you or your organization is impacted by ransomware, we strongly encourage our members to please report it to the NJCCIC as soon as possible and before deciding to pay any ransom.