Globe Imposter 2.0 Ransomware

Posted: August 8, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	14,999
Threat Level:	10/10
Infected PCs:	13,045

First Seen:	August 8, 2017
Last Seen:	October 1, 2023
OS(es) Affected:	Windows

The Globe Imposter 2.0 Ransomware is an update of the Globe Imposter Ransomware with changes to its ransoming message and encryption cipher. Because the Globe Imposter 2.0 Ransomware includes additional protection against public decryptors, any victims will need to recover their locked files from backups. Malware experts also encourage blocking and deleting the Globe Imposter 2.0 Ransomware preemptively with your anti-malware protection particularly, instead of paying its ransom, an act that may not give you a decryption solution.

One Trojan Takes Another Step in the Race against Cyber Security

Even as the Globe Ransomware families continues growing, imitations of it also are struggling to make money off of victims who can't tell the difference between one Trojan and cheap facsimiles of it. Unfortunately, for one copycat, the Globe Imposter 2.0 Ransomware, this superficial resemblance doesn't correspond with a weak data-encoding feature. Any files blocked by the Globe Imposter 2.0 Ransomware may be irretrievable without the user's having access to previous, unaffected copies.

Similarly to previous versions, the Globe Imposter 2.0 Ransomware is targeting victims with Russian and English as their native languages, although malware experts have yet to confirm which infection vectors the threat uses. After opening, the Globe Imposter 2.0 Ransomware scans the PC for documents, spreadsheets, pictures, and other, general formats of media to encipher with its encryption algorithm. Besides blocking these files, the attack also includes an extension-adding function that adds '.pizdec' (which translates roughly to a Russian obscenity) to the ends of their names.

Malware experts also observed some small modifications to the other component of the Globe Imposter 2.0 Ransomware's payload: its ransom note. Now, this file is an HTML, instead of HTA, although the threat actors still ask for the same kind of Bitcoin-based payment for helping you unlock your files. Since the Globe Imposter 2.0 Ransomware's ransoms are converting to equivalents of over thirty thousand USD currently, malware experts presume that the Trojan's campaign is attacking the private servers of unprotected businesses, and similar entities, with the capacity to pay significant amounts of money.

Beating an Imposter to the Punch (and Your Files)

Updates to file-locking Trojans that seem to change very little about them, in reality, often hold 'surprises' for their victims and their data. Malware researchers have been able to verify that the Globe Imposter 2.0 Ransomware includes additional anti-decryption features that make it more difficult to decode any media that the Trojan blocks than previously. Therefore, protection for your files requires preventative security steps, such as backing up the contents of your drive to another PC or peripheral devices that the Trojan can't access.

Expected infection methods for the Globe Imposter 2.0 Ransomware's campaign include spam e-mails that uses targeted, forged content of interest to the reader (such as a fake invoice or delivery alert), corrupted Web content that can instigate drive-by-downloads, and brute-force compromises of a server's login credentials. Careful management of your passwords, disabling scripts, and scanning downloads with anti-malware programs can reduce your potential contact points with such vulnerabilities or remove the Globe Imposter 2.0 Ransomware preemptively.

The Globe Imposter 2.0 Ransomware isn't a real version of the Globe Ransomware, but to someone struggling to recover their encrypted files, the difference may be a trivial one. Like the old Trojan that its ransom note mimics, the Globe Imposter 2.0 Ransomware uses relatively straightforward enciphering technology to hold digital content hostage for as long as its threat actor desires.

Update November 30th, 2018 — The 'bizarrio@pay4me.in' Ransomware

The 'bizarrio@pay4me.in' Ransomware is a member of the Globe Imposter 2.0 Ransomware family and, unfortunately, this means that a free decryptor is not available. If you believe that you are one of the 'bizarrio@pay4me.in' Ransomware’s victims, then we advise you to stay calm and not take any rash decisions, since this might not end well for your wallet and your files.

The 'bizarrio@pay4me.in' Ransomware works by encrypting the files on the victim’s computer and then offers to provide them with a decryptor, which can be obtained in exchange for a ransom payment. Although this solution might sound attractive despite the high price, you should think twice whether it is worth it to trust the anonymous crooks behind this project. Many ransomware victims have been tricked out of their money in the past, and the authors of the 'bizarrio@pay4me.in' Ransomware do not offer reliable proof that they will not do the same if you pay them.

All files locked by the 'bizarrio@pay4me.in' Ransomware will have the ‘.crypted_bizarrio@pay4me_in’ extension added to their names. In addition to this, the victims also will find a short ransom note, which tells them to contact either bizarrio@venom.io or bizarrio@pay4me.in for further instructions and information. We assure you that messaging the operators of the 'bizarrio@pay4me.in' Ransomware is a bad idea because they are unlikely to help you out for free.

The correct way to deal with the consequences of a ransomware attack is to remove the threatening program with the use of a trustworthy anti-virus tool immediately. When this task is complete, you should try to restore the original versions of your encrypted files by using a popular data recovery utility.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SYSTEMDRIVE%\Users\<username>\AppData\Local\575A.tmp.exe

File name: 575A.tmp.exe
Size: 431.61 KB (431616 bytes)
MD5: 86a8e2327f003d25a2abef413473218b
Detection count: 1,391
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\575A.tmp.exe
Group: Malware file
Last Updated: October 26, 2022

%WINDIR%\System32\btc2017-india_2017-08-17_11-05.exe

File name: btc2017-india_2017-08-17_11-05.exe
Size: 245.24 KB (245248 bytes)
MD5: b4ed40a147d3e280e85b4f40d64a93b4
Detection count: 227
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32
Group: Malware file
Last Updated: August 25, 2017

%SYSTEMDRIVE%\Users\<username>\AppData\Local\AU3_EXE.exe

File name: AU3_EXE.exe
Size: 175.61 KB (175616 bytes)
MD5: d78a1829b5c9db3ef2fe01d43cdd91b6
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\AU3_EXE.exe
Group: Malware file
Last Updated: June 26, 2020

7afd55f0c98f65d41f836613d825a895

File name: 7afd55f0c98f65d41f836613d825a895
Size: 200.19 KB (200192 bytes)
MD5: 7afd55f0c98f65d41f836613d825a895
Detection count: 41
Group: Malware file
Last Updated: January 7, 2019

file.exe

File name: file.exe
Size: 273.92 KB (273920 bytes)
MD5: bfc214a781108b92d143b896b56b202b
Detection count: 34
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 8, 2017

IGAMI.exe

File name: IGAMI.exe
Size: 424.88 KB (424888 bytes)
MD5: b02dbce0663e5a22bdbe5241110a7a80
Detection count: 31
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

file.exe

File name: file.exe
Size: 257.02 KB (257024 bytes)
MD5: 1905c6ac4e63e975690669fa183943bf
Detection count: 30
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 17, 2022

C:\Users\<username>\Desktop\PC malware samples\dcom-ransomware.exe

File name: dcom-ransomware.exe
Size: 610.3 KB (610304 bytes)
MD5: afe5f38b22233a2f63b5527da807cf10
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\Desktop\PC malware samples\dcom-ransomware.exe
Group: Malware file
Last Updated: September 10, 2021

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c9194550fe425b6e2d9d87371aff4a3114b849ccca60b220fdd37e5d2b5be8d.exe

File name: 0c9194550fe425b6e2d9d87371aff4a3114b849ccca60b220fdd37e5d2b5be8d.exe
Size: 413.69 KB (413696 bytes)
MD5: 70f5ed63c92fea27f8f8e5c2413bf323
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 9, 2018

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheckSoftware\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck