GlobeImposter

GlobeImposter targets Windows OS, mimics the Globe ransomware variant, and its distribution method is currently unknown. On March 16, 2017, a new version, dubbed GlobeImposter 2.0 was discovered by security researchers.

Extensions appended to encrypted file names:
.crypt, .pizdec, .FIX, .keepcalm, .vdul, .2cXpCihgsVxB3, .medal, .paycyka, .wallet, .3ncrypt3d, .skunk, .BRT92, .HAPP, .707, s1crypt, .au1crypt, .p1crypt, .GOTHAM, .crypt, .rose, .ocean, .Mixi, .725, .726, .help, .sea, .mtk118, .492, .astra, .coded, .txt, .ACTUM, .GRAFF, .JEEP, .BONUM, .GRANNY, .LEGO, .D2550A49BF52DFC23F2C013C5, .rumblegoodboy, .zuzya, .UNLIS, .0402, .Trump, .ReaGAN, .C8B089F, .needdecrypt, .write_on_email, .clinTON, .BUSH, .911

Ransom note file names:
HOW_OPEN_FILES.hta, how_to_recover_files.html, How_to_back_files.html, #HOW_DECRYPT_FILES#.html, RECOVER-FILES.html, !back_files!.html, !your_files!.html, here_your_files!.html, Read_ME.html, !SOS!.html

Email addresses associated with GlobeImposter:
keepcalmpls@india.com, support24@india.com, support24_02@india.com, happydaayz@aol.com, strongman@india.com, file_free@protonmail.com, koreajoin69@tutanota.com, Decoder_master@aol.com, Decoder_master@india.com, legosfilos@aol.com, crazyfoot_granny@aol.com, Ronald_Reagan@derpymail.org, Bill_Clinton@derpymail.org, George_Bush@derpymail.org

UPDATE 8/3/2017: According to security researcher Michael Gillespie, creator of ID Ransomware, there has been a growing GlobeImposter ransomware campaign impacting the US and the EU over the past month. Malware-Traffic-Analysis.net has also detected multiple instances of malspam distributing the GlobeImposter ransomware variant and provides indicators of compromise associated with these campaigns on their website.

  • Emsisoft provides more information about GlobeImposter, as well as a free decryption tool, here.
  • The NJCCIC is not currently aware of any decryption tools available for GlobeImposter 2.0.