GlobeImposter Ransomware (Analysis and Recovery Options)

This page details everything you need to know about GlobeImposter ransomware. If you have been hit by GlobeImposter ransomware and need help recovering your data, we're here to help.

Table of Contents

What is GlobeImposter ransomware?

First appearing in 2017, GlobeImposter ransomware has since evolved into over 20 different variants.

Each version of GlobeImposter ransomware operates with slight differences, but each variant follows a similar attack method. 

Most active GlobeImposter ransomware encryption is too strong to be broken and does not have any free decryption tools available. However, some early versions of GlobeImposter were decrypted without paying the ransom.

GlobeImposter encrypts files on all drives on the breached system and deletes shadow copies. 

The GlobeImposter threat actors provide an email address and unique identifier in the ransom notes which can be used if decryption is explored. 

Below is an example GlobeImposter ransom note:

GlobeImposter Ransomware Ransom Note
GlobeImposter ransomware ransom note

GlobeImposter ransomware Indicators of Compromise (IoC)

There are several GlobeImposter ransomware Indicators of Compromise (IoC) that signal the malware is present on a victim computer. 

GlobeImposter Encrypted Files

If your data is encrypted from GlobeImposter ransomware, you will notice a different extension attached to each file. The ransomware generally renames encrypted files per the diagram below.

Identifying GlobeImposter Ransomware Files

You may notice that each system or file shares on your network have different identifiers which are found in the ransom notes. The threat actors may use these identifiers as part of determining the ransom cost.

GlobeImposter Ransom Note

The common GlobeImposter ransom note is an html file which is located in every folder on your infected computer/server. 

Below you will find an example of a GlobeImposter ransom note:

GlobeImposter Ransomware Ransom Note

Here are some examples of previous GlobeImposter ransom note names:

  • How_to_back_files.html
  • File Recovery.html
  • Read Me!.hta
  • Read_For_Restore_File.html
  • Decoding Information.html
  • How_to_decrypt_files.html
  • HOW_RECOVER.html
  • how_to_open_files.html

The ransom note also includes a unique identifier and an email address with instructions to contact the threat actor for decryption.

GlobeImposter virus name and SHA1 hash

The GlobeImposter ransomware virus has been discovered with the following names:

  • st.exe

The GlobeImposter SHA1 hashes discovered are:

  • 552da659f848f510dc2c5e5703e0a2310f14c9ac

How to stop GlobeImposter ransomware

You can stop GlobeImposter ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices. 

Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.

How much will GlobeImposter ransomware recovery cost?

There are several factors that may influence the total cost of recovering files encrypted by the GlobeImposter ransomware.

 They include:

  • Assessment fee
  • Number of encrypted systems
  • Selected priority of service
  • Ransom demand amount

How much do GlobeImposter ransom demands cost?

Our data from Q3 and Q4 of 2020 concludes that the initial average GlobeImposter ransomware demand is $15,947

$ 0
Average initial GlobeImposter ransomware demand (Q3/Q4 2020)

Like many other ransomware groups, it is suspected that they tailor the ransom amounts to the following:

  • Size and type of the victim company
  • Size of the victim network
  • Reconnaissance opening financial documents while on the victim network

The graph below shows the comparison between the average initial ransom demand of GlobeImposter ransomware and other common variants.

GlobeImposter typically targets small and medium businesses and is considered a medium-low volume ransomware variant in terms of frequency of attacks.

$ 0
Average ransom demand after negotiation (Q3/Q4 2020)

Proven Data is experienced in helping to negotiate for a lower ransom demand from GlobeImposter operators. 

Knowing what to expect in ransomware recovery costs will help you make informed decisions when recovering your data.

How to decrypt GlobeImposter ransomware

If your files are locked from GlobeImposter ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.

Unlock GlobeImposter encrypted files

The encryption algorithm for GlobeImposter is too strong to be broken and there are currently no flaws in the malware which allow the decryption keys to be obtained.

This leaves victims of GlobeImposter with the only option of considering paying the ransom to obtain the decryption key and unlock their files. 

As with many ransomware variants, we may be able to assist with restoring certain file types without paying the ransom. To find out more information, you can reach out to a Proven Data representative.

GlobeImposter Decrypter Instructions

The GlobeImposter decrypter is a straightforward utility that has a command console like interface.

Here are the steps to run the Globe Imposter decrypter tool:

1. Ensure the decrypter does not contain malicious code (a ransomware recovery company should be able to help you with this).

2. Disable anti-virus software on the machine you will be running the tool from. This includes Microsoft Defender. 

3. Make sure to connect all the devices with encrypted files to the system you are going to be running the decrypter from. This includes mapping network shares and attaching external hard drives. 

4. Right click the decryption executable file and run as administrator.

GlobeImposter Ransomware Decrypter

5. The decrypter console will appear and start the decryption process automatically.  

Decrypt GlobeImposter Files

6. The decrypter will start to go through all devices connected to the system and decrypt files it finds. The interface will. list all files it will find and recover.

Unlock GlobeImposter Encrypted Files

7. When the process is finished, a completion message will appear in the decrypter console. Press any key or click the X button to close the utility.

GlobeImposter Decrypter Ransomware

How long does it take to recover from a GlobeImposter ransomware attack?

There are several factors which contribute to the time it takes to recover from a GlobeImposter attack. These include:

  • Cleaning the environment from malware
  • Securing vulnerabilities
  • Negotiation time
  • Compliance checks & making the ransom payment
  • Wait for the threat actor to return the decryption utility
    • Scan the decryption utility for malicious code
    • Test the functionality of the decryption utility
  • Decrypting the data
    • Size of the network
    • Number of files, file sizes & types
  • Backing up and verifying the data

For a network with 1-3 servers and 10-15 workstations it takes approximately 1-3 business days to complete the full recovery process.

What attack vectors did GlobeImposter ransomware use?

GlobeImposter ransomware primarily exploits unsecured RDP ports through brute force and dictionary attacks or by purchasing stolen credentials online through the dark web.

In addition, GlobeImposter ransomware has been seen packaged with free online software or distributed in a phishing email. 

A GlobeImposter ransomware attack may exploit a software vulnerability to install on your network. GlobeImposter ransomware usually infects your network with minimal disruption during off-hours and without user knowledge.

Does GlobeImposter ransomware steal data?

Based on our internal forensic investigations and additional research, there has been no evidence that GlobeImposter ransomware attacks are known to steal data while on the victim network. However, since ransomware threat actors are constantly changing tactics, it is still critical to conduct a forensic investigation.

Preserving evidence from GlobeImposter ransomware

In order to determine what the attackers removed from your network, you will need a forensic investigation performed. If you are considering a forensic investigation, it is important to preserve the evidence as soon as possible.

Here are the steps to preserve the forensic evidence:

  1. Do not shut down the computer or server as this will erase some artifacts
  2. Create a forensically sound image and take it offline
  3. Download firewall, VPN, and remote software logs
  4. Document all information pertaining to the ransomware attack

Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.

Why choose Proven Data GlobeImposter ransomware recovery?

Businesses that suffer downtime from a ransomware attack need a proven, time-tested solution to resume operations. That’s why we provide 24/7 access to staff who have significant experience recovering from the GlobeImposter ransomware variant. 

Our firm understanding of the GlobeImposter ransomware from our vast experience guides you to make informed decisions for your business. Understanding the attack vectors, threat actor profile, and negotiation expectations are essential to fully recover from the attack.

To meet compliance needs, we adopted a sanctions compliance program to ensure we are making ransom payments on behalf of our clients responsibly. At the service’s conclusion, we provide you with an incident and compliance report that can be used for insurance or law enforcement reporting purposes. 

If you are looking for a transparent experience from a professional ransomware incident response company to help you move past your unfortunate GlobeImposter cyber incident, we are here to help. 

GlobeImposter FAQ

Most frequent questions and answers

There are currently no publicly available GlobeImposter ransomware decryption tools to assist victims unlock their files. If your files are encrypted by GlobeImposter, you may have to recover your data by:

  • Recreating the data from scratch
  • Restoring from backups
  • Paying the ransom

No, it is currently not possible to decrypt GlobeImposter encrypted files without paying the ransom. However, there are some file types that can be repaired. You may ask a Proven Data representative about those file types.

GlobeImposter ransomware tends to have a high success rate of data restoration after paying the ransom and going through the decryption process. 

The steps required to restore your data after the ransom payment are straightforward and the decryption tool works effectively. 

Paying the ransom in exchange for the decryption key does not always guarantee that a functional decryption key will be delivered. However, using the threat intelligence we have gathered from previous ransomware cases, we can determine the threat actor’s past reputation to help you make informed decisions.

In 2020 our records indicate that GlobeImposter delivered the decryption tool after the first ransom payment on 100% of cases.

If you are the victim of a GlobeImposter ransomware attack, you must make sure to secure your network after to close vulnerabilities. 

Our cyber security costs guide outlines what basic protections are needed for ransomware prevention and what they cost.

Need GlobeImposter recovery or removal?

Our ransomware recovery experts are here to help you through the ransomware removal process!