2017-05-03 - "BLANK SLATE" MALSPAM STARTS PUSHING GLOBEIMPOSTER RANSOMWARE VARIANT
2017-05-03 update: This is actually GlobeImposter ransomware instead of Globe ransomware as I originally thought. Updated the writeup.
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-05-03-GlobeImposter-ransomware-variant-from-newfornz.top.pcap.zip 153 kB (153,167 bytes)
- Zip archive of the spreadsheet tracker: 2017-05-03-Blank-Slate-malspam-tracker.csv.zip 1.1 kB (1,104 bytes)
- Zip archive of the emails and malware: 2017-05-03-Blank-Slate-emails-and-malware.zip 264 kB (264,491 bytes)
BACKGROUND:
- For background on this campaign, see the Palo Alto Networks Unit 42 Blog: "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
- I wrote a follow-up for the Internet Storm Center (ISC) titled: "Blank Slate" malspam still pushing Cerber ransomware.
TODAY'S NOTES:
- Still seeing zip attachments containing .js files from the Blank Slate malspam campaign.
- Yesterday, Blank Slate was pushing Mordor ransomware, but today it's pushing a different type ransomware.
- Based on the visual style of the decryption instructions, I thought this was a variant of Globe ransomware (link).
- After checking with @BleepinComputer, I found this is probably a GlobeImposter variant (different from the Globe ransomware family).
- No post-infection traffic was noted for this infection.
Shown above: Screenshot of spreadsheet tracker (1 of 2).
Shown above: Screenshot of spreadsheet tracker (1 of 2).
Shown above: Desktop of an infected Windows host.
Shown above: Screenshot of the decryption instructions
TRAFFIC
URLS GENERATED BY THE EXTRACTED FILES:
- no IP address (domain didn't resolve) - 37kddsserrt.pw - GET /search.php
- 47.91.76.69 port 80 - newfornz.top - GET /admin.php?f=404
EMAIL FROM THE DECRYPTION INSTRUCTIONS:
- chines34@protonmail.ch
SHA256 HASHES
RANSOMWARE SAMPLE:
- SHA256 hash: 435dd2562e6423a2c9a0d4ca12fae43624cf13f71682fd1028b357e5540158db
File description: GlobeImposter ransomware variant from newfornz.top on 2017-05-03
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-05-03-GlobeImposter-ransomware-variant-from-newfornz.top.pcap.zip 153 kB (153,167 bytes)
- Zip archive of the spreadsheet tracker: 2017-05-03-Blank-Slate-malspam-tracker.csv.zip 1.1 kB (1,104 bytes)
- Zip archive of the emails and malware: 2017-05-03-Blank-Slate-emails-and-malware.zip 264 kB (264,491 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.