2017-09-04 - GLOBEIMPOSTER RANSOMWARE (..TXT FILE EXTENSIONS)

NOTICE:

ASSOCIATED FILES:

 

NOTES:

 

EMAILS


Shown above:  Screenshot from one of today's emails in the first wave.

 


Shown above:  Screenshot from one of today's emails in the second wave.

 

FIRST WAVE:

SECOND WAVE:

 


Shown above:  An attachment from one of today's emails in the first wave.

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

LINKS FROM THE EMAILS TO DOWNLOAD 7-ZIP ARCHIVE:

URLS TO DOWNLOAD GLOBEIMPOSTER RANSOMWARE:

DOMAINS/URLS ASSOCIATED WITH THE POST-INFECTION TRAFFIC:

 

SHA256 HASHES

tATTACHMENTS OR FILES DOWNLOADED FROM EMAIL LINKS (7-ZIP ARCHIVES):

 

EXTRACTED VBS FILES:

 

GLOBEIMPOSTER EXE SAMPLE DOWNLOADED BY VBS FILES:

 

IMAGES


Shown above:  All encrypted files ended with ..txt.

 


Shown above:  Tor URL from the decryption instructions.

 


Shown above:  Freshdesk support ticket the criminals are using, so you can send them a sample to decrypt.

 

Click here to return to the main page.