2017-05-03 - "BLANK SLATE" MALSPAM STARTS PUSHING GLOBEIMPOSTER RANSOMWARE VARIANT

2017-05-03 update: This is actually GlobeImposter ransomware instead of Globe ransomware as I originally thought.  Updated the writeup.

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-05-03-GlobeImposter-ransomware-variant-from-newfornz.top.pcap.zip   153 kB (153,167 bytes)
• Zip archive of the spreadsheet tracker:  2017-05-03-Blank-Slate-malspam-tracker.csv.zip   1.1 kB (1,104 bytes)
• Zip archive of the emails and malware:  2017-05-03-Blank-Slate-emails-and-malware.zip   264 kB (264,491 bytes)

BACKGROUND:

• For background on this campaign, see the Palo Alto Networks Unit 42 Blog:  "Blank Slate" Campaign Takes Advantage of Hosting Providers to Spread Ransomware.
• I wrote a follow-up for the Internet Storm Center (ISC) titled:  "Blank Slate" malspam still pushing Cerber ransomware.

TODAY'S NOTES:

• Still seeing zip attachments containing .js files from the Blank Slate malspam campaign.
• Yesterday, Blank Slate was pushing Mordor ransomware, but today it's pushing a different type ransomware.
• Based on the visual style of the decryption instructions, I thought this was a variant of Globe ransomware (link).
• After checking with @BleepinComputer, I found this is probably a GlobeImposter variant (different from the Globe ransomware family).
• No post-infection traffic was noted for this infection.

 

Shown above:  Screenshot of spreadsheet tracker (1 of 2).

 

Shown above:  Screenshot of spreadsheet tracker (1 of 2).

 

Shown above:  Desktop of an infected Windows host.

 

Shown above:  Screenshot of the decryption instructions

 

TRAFFIC

URLS GENERATED BY THE EXTRACTED FILES:

• no IP address (domain didn't resolve) - 37kddsserrt.pw - GET /search.php
• 47.91.76.69 port 80 - newfornz.top - GET /admin.php?f=404

EMAIL FROM THE DECRYPTION INSTRUCTIONS:

• chines34@protonmail.ch

 

SHA256 HASHES

RANSOMWARE SAMPLE:

• SHA256 hash:  435dd2562e6423a2c9a0d4ca12fae43624cf13f71682fd1028b357e5540158db
  File description:  GlobeImposter ransomware variant from newfornz.top on 2017-05-03

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-05-03-GlobeImposter-ransomware-variant-from-newfornz.top.pcap.zip   153 kB (153,167 bytes)
• Zip archive of the spreadsheet tracker:  2017-05-03-Blank-Slate-malspam-tracker.csv.zip   1.1 kB (1,104 bytes)
• Zip archive of the emails and malware:  2017-05-03-Blank-Slate-emails-and-malware.zip   264 kB (264,491 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.