{
	"id": "97bade39-d1ad-4e52-8f81-5e3f022b09e4",
	"created_at": "2026-04-06T00:13:59.978077Z",
	"updated_at": "2026-04-10T03:21:54.332298Z",
	"deleted_at": null,
	"sha1_hash": "2416bab0d772818cd385f6f79d78c629a5d9dc9e",
	"title": "GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1747852,
	"plain_text": "GlobeImposter Ransomware Being Distributed with\r\nMedusaLocker via RDP - ASEC\r\nBy ATCP\r\nPublished: 2023-02-27 · Archived: 2026-04-05 13:50:04 UTC\r\nASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the\r\nGlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the\r\nspecific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to\r\nthe various pieces of evidence gathered from the infection logs.\r\nThe threat actor installed various tools alongside GlobeImposter, such as Port Scanner and Mimikatz. Once\r\ninstalled, if these tools are able to confirm that they are within a company’s internal network, it is assumed that\r\nthey will then target that network.\r\n1. Ransomware Installed Using RDP\r\nThreat actors who use RDP (Remote Desktop Protocol) as an attack vector generally scan for systems where RDP\r\nis active and allows external access. Systems found during this scanning process are subject to brute force or\r\ndictionary attacks. If a user has inappropriate account credentials, then threat actors can easily take those very\r\ncredentials.\r\nThreat actors can use the obtained account credentials to log in to the system through RDP, allowing them to gain\r\ncontrol over the system in question and perform a variety of malicious actions. The threat actors who install\r\nGlobeImposter are also assumed to be using RDP as their attack vector. More details about each case will be\r\ncovered further in this post, but the bases are as follows.\r\nA. Malware created through the explorer process (explorer.exe)\r\nB. RDP-related settings and logs deleted\r\nC. Connection with the MedusaLocker ransomware threat actor who uses RDP as their attack vector\r\nThe threat actor usually creates a folder named “skynet work” in the “Music” folder before installing malware in\r\nthis directory. This ransomware attack has been steadily ongoing since last year, and the fact that the same path is\r\nstill being used to this day is a characteristic. The following is the log from an attack case by the same threat actor\r\nin the past. Through this, we can see that the explorer process, explorer.exe, is creating the malware. As this\r\nbehavior is often seen when malware is installed on systems through RDP, it serves as reasonable grounds to\r\nbelieve that RDP was used as an attack vector.\r\nhttps://asec.ahnlab.com/en/48940/\r\nPage 1 of 7\n\nThere are also other connections that tie this with the MedusaLocker threat actor. Recently, the United States\r\nDepartment of Health and Human Services released a report about how the MedusaLocker ransomware threat\r\nactors have been using RPD to infect systems with ransomware. [1] The MedusaLocker threat group has been\r\nusing RDP as their attack vector, and relevant information was also released by the United States’ Cybersecurity\r\nand Infrastructure Security Agency (CISA). [2]\r\nA noteworthy thing to point out is that the email and onion addresses found in the ransom note from the recently\r\nactive GlobeImposter ransomware are included in the list of addresses used by the MedusaLocker group which\r\nwas released by CISA.\r\nAdditionally, the team also discovered during their investigation of multiple logs that some ransomware attack\r\ncases used both GlobeImposter and MedusaLocker. Therefore, it can be inferred that the MedusaLocker group is\r\nusing RDP as their main attack vector and are targeting inappropriately managed systems. Adding to this, they\r\nhave also been using GlobeImposter instead of MedusaLocker in recent attacks.\r\n2. Malware Used in the Attack Process\r\nAs seen in Figure 1, the threat actor installs various pieces of malware in the infected system. Most of the installed\r\nm are scanners and account credential stealing tools. It can be assumed through this that the network of the\r\nhttps://asec.ahnlab.com/en/48940/\r\nPage 2 of 7\n\ninfected system can also be targeted.\r\nadvanced_port_scanner.exe, advanced_port_scanner_2.5.3869.exe: Port scanners\r\nFiles inside the “kamikadze new” folder: Mimikatz\r\nnetpass (1).exe: Network password recovery tool made by NirSoft\r\nnetworkshare_pre2.exe: Shared folder scanner\r\nAfter the threat actor takes over the system via RDP, the above tools are used to scan the network to check if the\r\ninfected system is a part of a specific network. If the system is part of a specific network, then the ransomware can\r\nperform internal reconnaissance and lateral movement in order to also encrypt the other systems on the network.\r\nThe following is a log from AhnLab’s ASD (AhnLab Smart Defense) infrastructure of the Mimikatz command\r\nused by a threat actor during their attack. The sekurlsa::logonpasswords command outputs every verifiable account\r\ncredential currently stored on the system memory. The account credentials obtained in this domain environment\r\ncan be used for lateral movement.\r\nThere are some cases where the threat actor would also install an XMRig CoinMiner alongside the ransomware.\r\nThis can be seen in Figure 1 as Miners.exe. Thus, not only do the MedusaLocker threat actors encrypt infected\r\nsystems using their ransomware, but they also mine for coins by installing XMRig.\r\nMining Pool : pool.supportxmr[.]com:3333\r\nUser :\r\n49c2xjofxbxkydovzvfart2ekruhe6wiep55xcjaogaq1dugduyzgxphd1zx6j21nvv5emtupnfr39sulbp1ggczqwfzjmc\r\nPassword : x\r\n3. GlobeImposter\r\nThe ols.exe file within the “skynet work” folder is the GlobeImposter ransomware. GlobeImposter is a type of\r\nransomware that uses the AES symmetric key algorithm for file encryption and a public/private RSA key\r\nalgorithm for key encryption. [3]\r\nOverview Description\r\nEncryption method AES / RSA-1024\r\nExtension .onelock\r\nPaths excluded from encryption Refer to the information further below\r\nExtensions excluded from encryption Refer to the information further below\r\nhttps://asec.ahnlab.com/en/48940/\r\nPage 3 of 7\n\nRansom note how_to_back_files.html\r\nOthers\r\nRegisters RunOnce key\r\nRemoves volume shadow service\r\nDeletes event logs\r\nDeletes RDP logs\r\nTable 1. GlobeImposter ransomware overview\r\nUpon execution, GlobeImposter creates a new public and private RSA-1024 key before using the public RSA key\r\nto encrypt the AES key that was used to encrypt files. The generated private RSA key is encrypted with the threat\r\nactor’s public RSA key. This key exists encrypted in binary. As shown in the figure below, the public RSA key can\r\nbe decrypted with the hard-coded AES key.\r\nTo maintain persistence, GlobeImposter first copies itself into the %LOCALAPPDATA% path before registering\r\nitself to the RunOnce key, allowing it to operate even after system reboots. A file that uses the SHA256 hash value\r\nof the threat actor’s private key as its name is created in the %PUBLIC% path. The key information is then\r\nencrypted and saved here.\r\nAfterward, files within the system are encrypted. Configuration data such as the list of paths and file extensions\r\nexcluded from encryption are encrypted with the AES key. Additionally, the AES key used to decrypt the\r\nconfiguration data is the SHA256 hash value of the threat actor’s private key mentioned above. The following is a\r\nlist of the paths and file extensions excluded from encryption that was obtained during the decryption process.\r\nPaths excluded from encryption\r\nWindows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender,\r\nESET, COMODO, Windows NT, Windows Kits, Windows Mail, Windows Media Player,\r\nWindows Multimedia Platform, Windows Phone Kits, Windows Phone Silverlight Kits,\r\nWindows Photo Viewer, Windows Portable Devices, Windows Sidebar,\r\nWindowsPowerShell, NVIDIA Corporation, Microsoft.NET, Internet Explorer, Kaspersky\r\nhttps://asec.ahnlab.com/en/48940/\r\nPage 4 of 7\n\nLab, McAfee, Avira spytech software, sysconfig, Avast, Dr.Web, Symantec,\r\nSymantec_Client_Security, system volume information, AVG, Microsoft Shared, Common\r\nFiles, Outlook Express, Movie Maker, Chrome, Mozilla, Firefox, Opera, YandexBrowser,\r\nntldr, Wsus, ProgramData\r\nExtensions excluded from encryption\r\n.onelock, .dll, .sys, .exe, .rdp, .ini, .revenlock8, .revenlock9, .revenlock10, .locklock, .allock,\r\n.allock2, .allock3, .allock4, .allock5, .allock6, .allock7, .allock8, .allock9, .allock10,\r\n.netlock1, .allock1, .allock02, .allock03, .allock05, .allock06, .allock07, .allock08, .alloc\r\nWhen the file encryption is complete, the following batch file is created and executed. The batch file is responsible\r\nfor deleting volume shadow copies and logs. Event logs and RDP-related logs are the logs that get deleted. Like\r\nthis, the ransomware attack is performed through RDP. It can be assumed that the threat actor added these kinds of\r\nfeatures to the ransomware in order to erase their access history.\r\nThe ransom note is created in the folder where the infection occurs under the file name “how_to_back_files.html”.\r\nThe ransom note also differs from previously known GlobeImposter ransom notes but matches the MedusaLocker\r\nransom note that was previously disclosed in the report published by Carbon Black. [4]\r\nhttps://asec.ahnlab.com/en/48940/\r\nPage 5 of 7\n\n4. Conclusion\r\nThreat actors have consistently been using RDP during their initial infiltration and lateral movement processes.\r\nThese attacks usually occur through brute force and dictionary attacks against systems with inappropriate account\r\ncredentials. In particular, a large number of ransomware threat actors aside from the MedusaLocker group also use\r\nRDP as their main initial attack vector.\r\nUsers can deactivate RDP when not in use to decrease the number of attack attempts. If RDP is being used, it is\r\nadvised to use a complex account password and to change it periodically to prevent brute force and dictionary\r\nattacks. Also, V3 should be updated to the latest version so that malware infection can be prevented.\r\nFile Detection\r\n– Ransomware/Win.MedusaLocker.R335910 (2022.11.23.00)\r\n– Trojan/Win32.FileCoder.R228072 (2018.05.16.01)\r\n– Trojan/Win32.RL_CoinMiner.C4078402 (2020.04.25.01)\r\n– Trojan/Win32.RL_CoinMiner.C4078402 (2020.04.25.01)\r\n– Trojan/Win32.RL_Mimikatz.R366782 (2021.02.18.01)\r\n– Trojan/Win.Mimikatz.R433236 (2021.07.23.01)\r\n– Trojan/Win.Mimikatz.R434976 (2021.07.31.01)\r\n– HackTool/Win.Scanner.C5310311 (2022.11.21.03)\r\n– HackTool/Win.Scanner.C5310305 (2022.11.21.03)\r\n– Trojan/Win.Mimikatz.R433236 (2021.07.23.01)\r\n– Trojan/RL.Mimikatz.R248084 (2018.12.10.01)\r\n– Unwanted/Win32.Agent.R266440 (2019.04.23.00)\r\n– HackTool/Win.PSWTool.R345815 (2022.09.02.00)\r\nhttps://asec.ahnlab.com/en/48940/\r\nPage 6 of 7\n\nBehavior Detection\r\n– Persistence/MDP.AutoRun.M224\r\n– Ransom/MDP.Event.M4428\r\nMD5\r\n21ea77788aa2649614c9ec739f1dd1b8\r\n4edd26323a12e06568ed69e49a8595a5\r\n4fdabe571b66ceec3448939bfb3ffcd1\r\n597de376b1f80c06d501415dd973dcec\r\n5e1a53a0178c9be598edff8c5170b91c\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//46[.]148[.]235[.]114/cmd[.]php\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/48940/\r\nhttps://asec.ahnlab.com/en/48940/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/48940/"
	],
	"report_names": [
		"48940"
	],
	"threat_actors": [],
	"ts_created_at": 1775434439,
	"ts_updated_at": 1775791314,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2416bab0d772818cd385f6f79d78c629a5d9dc9e.pdf",
		"text": "https://archive.orkl.eu/2416bab0d772818cd385f6f79d78c629a5d9dc9e.txt",
		"img": "https://archive.orkl.eu/2416bab0d772818cd385f6f79d78c629a5d9dc9e.jpg"
	}
}