Researchers have spotted a new malspam campaign distributing a new variant of GlobeImposter ransomware.
The ransomware is distributed via email by pretending to have photos as attachments by keeping the subject line as “Emailing: IMG_20171221_”.
The email contains 7zip (.7z) archives as attachments which are named as camera photo’s file name such as IMG_[date]_[number].
The 7zip files contain obfuscated .js file which when double clicked will download GlobeImposter ransomware from a remote server and execute it.
After this, the ransomware will start encrypting the files and append ..doc extension to the encrypted file name.
“After the executable is downloaded, it will be executed and the GlobeImposter ransomware will begin to encrypt the computer. When encrypting files on the computer it will append the ..doc extension to encrypted file’s name. For example, a file called 1.doc would be renamed to 1.doc..doc.”
The ransomware also create a ransom note Read___ME.html in each folder a file is encrypted.
The ransom note instruct victims to visit http://n224ezvhg4sgyamb.onion/sup.php onion site. Where it says to contact them to receive payment instructions in the email address mentioned in the site (email@example.com) and also allow victims to decrypt one file for free.
The site also provide a link to support site where you can send them message. Researchers also said that at this files which are encrypted by GlobeImposter ransomware cannot be decrypted for free.
How to prevent yourself from the GlobeImposter Ransomware:
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.