Search space

Home News New Variant GlobeImposter Ransomware Distributed via Malspam

New Variant GlobeImposter Ransomware Distributed via Malspam

Researchers have spotted a new malspam campaign distributing a new variant of GlobeImposter ransomware.

The ransomware is distributed via email by pretending to have photos as attachments by keeping the subject line as “Emailing: IMG_20171221_”.

The email contains 7zip (.7z) archives as attachments which are named as camera photo’s file name such as IMG_[date]_[number].

The 7zip files contain obfuscated .js file which when double clicked will download  GlobeImposter ransomware from a remote server and execute it.

After this, the ransomware will start encrypting the files and append ..doc extension to the encrypted file name.

“After the executable is downloaded, it will be executed and the GlobeImposter ransomware will begin to encrypt the computer. When encrypting files on the computer it will append the ..doc extension to encrypted file’s name. For example, a file called 1.doc would be renamed to 1.doc..doc.”

The ransomware also create a ransom note Read___ME.html in each folder a file is encrypted.

The ransom note instruct victims to visit http://n224ezvhg4sgyamb.onion/sup.php onion site. Where it says to contact them to receive payment instructions in the email address mentioned in the site ( and also allow victims to decrypt one file for free.

The site also provide a link to support site where you can send them message. Researchers also said that at this files which are encrypted by GlobeImposter ransomware cannot be decrypted for free.

How to prevent yourself from the GlobeImposter Ransomware:

  • Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
  • Maintain updated Antivirus software for all systems
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
  • Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.


Connected Living, Stylish Designs: Highlights from Samsung’s KBIS 2020 this year’s Kitchen & Bath Industry Show (KBIS), visitors to the Samsung Electronics booth are getting hands on with the very latest of...

Alibaba CEO Talks ‘Power of the Platform’ at Davos 2020.

One of the most important social-welfare campaigns in China right now is the push to eradicate poverty – and e-commerce giant Alibaba Group is...

Why Businesses Need Oracle Gen 2 Cloud What is Oracle Gen 2 Cloud? Oracle: Generation 2 Cloud puts customer code, data, and resources on a bare metal computer, while cloud control...

Innovations in Retail

Retail has gotten incredibly competitive in the last several years. Online and brick and mortar retailers are continuing to innovate to grab consumers’ attention,...

EMEAR perspectives: Using AI to improve your internal processes

By Richard Gore, IT Senior Manager, CiscoI was lucky enough to accompany my fellow Cisco IT EMEAR experts to this year’s Gartner IT Symposium/Xpo...