GlobeImposter Ransomware: Blocked by enSilo

GlobeImposter Ransomware


During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight, this ransomware looks very similar to other ransomware samples and uses common technique known as process hollowing. However, deeper inspection showed that, like LockPoS, which was analyzed by CyberBit, GlobeImposter also bypasses user-mode hooks, a technique used by many security products for malware and exploit detection, by calling directly into the kernel. Due to this evasion technique is being leveraged by new malware samples, it may signal a trend of more attacks evading user-mode security products. The enSilo Platform is not affected by such evasion techniques. 


The Ransomware spreads to victims across the world via Necurs which is the largest email spam Botnet spreading across the Internet. The malware spreads through malicious emails with an attached ZIP file that contains a JavaScript Downloader as shown in figure 1:

Figure 1-3.png


Figure 1: Malicious JavaScript Attachment

During the execution of the JavaScript file on the victim’s system, it attempts to communicate with the following domains:




Figure 2 shows this connection attempt to these three domains:

Figure 2-1.png

Figure 2: Network Connection

The TCP stream of the connection made to the domain www.zhaksylyk.kz suggests that the malicious JavaScript retrieves the GlobeImposter Ransomware binary file as shown in figure 3:

Figure 3-2.png Figure 3: Binary File Download

The domains appear to be offline at the time of writing this post.


The GlobeImposter Ransomware binary file contains the following static characteristics:

SHA256 Hash:  3a9d5976fbf41daf80f0eb9e6b7aadcece52a82fe9609984ef7f8ea166048547
File size:    239,104 bytes
Compile Time: 2016-12-11 21:50:59



GlobeImposter ransomware leverages a very interesting packer in attempt to avoid detection. Like many malware samples, GlobeImposter leverages the process hollowing technique to avoid detection. However, Similar to LockPoS Malware the was published by CyberBit, GlobeImposter uses direct system calls in order to bypass user-mode hooks, a technique that many security vendors employ to prevent process hollowing, thread injections and similar techniques. Full analysis of the sample can be found on BreakingMalware.

After unpacking GlobeImposter, it appears to be almost identical to an older variant found in early November 2017. Here is a comparison of the encryption routines, one from the old GlobeImposter and one from the new variant:

Figure 3a.png

Figure 4: Comparison between the GlobeImposter variants. The old version on the left, and the new unpacked one on the right.


As show in figure 4, the files that are encrypted are then renamed in the following format: filename.doc

Figure 4-1.png

Figure 5: Encrypted Files

When the Ransomware finishes encrypting all files, a message is presented to the victim within a browser as shown in figure 5

Figure 5-1.png

Figure 6: Ransom Notification Message

The Ransomware also offers to decrypt one file for free to prove the decryption works. The note states the following "Before paying you can send us 1 file for free decryption."



 The GlobeImposter Ransomware sample was executed in a controlled environment protected by enSilo platform.

 We can see GlobeImposter attempt to encrypt files in figure 6. As can be seen, invokes itself as part of the unpacking stage, this is where the process hollowing technique is being used to thwart security solutions. Once the unpacking of the actual payloads executes it starts encrypting files. EnSilo platform blocks the encryption process before any damage to the system is done.

Figure 6-1.png

Figure 7: GlobeImposter attempts to encrypt

Note: These types of attacks can get blocked by enSilo platform on multiple stages from an initial execution, download of a payload and a payload execution. However, if we allow execution to occur, we can see that the last encryption process is blocked.


 This blog post demystified the functionality of the GlobeImposter Ransomware from its initial phase in which the victim received a malicious email with the JavaScript file all the way until all the important files are encrypted and the victim receives a ransom note. That said, the most important part in this post reveals how enSilo's post infection protection can easily prevent attacks leveraging new evasion techniques with any updates or signatures in real-time.

File IOCs





Network IOCs

SANS review of ensilo



tag cloud