{
	"id": "1d1c6c92-c642-4ed6-a8d8-2f8b170d3ddd",
	"created_at": "2026-04-06T00:06:13.739758Z",
	"updated_at": "2026-04-10T13:13:05.329957Z",
	"deleted_at": null,
	"sha1_hash": "676e40d4d78f06e3a8340dee198475aef6184d25",
	"title": "GlobeImposter ransomware: A holiday gift from the Necurs botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 69065,
	"plain_text": "GlobeImposter ransomware: A holiday gift from the Necurs botnet\r\nBy MSPThreatsSecurityTeam\r\nPublished: 2018-01-15 · Archived: 2026-04-05 21:10:58 UTC\r\nGlobeImposter ransomware\r\nOn December 26, 2017, the Necurs botnet delivered a late Christmas gift – the new version of GlobeImposter\r\nransomware [source]. Attached to spam messages as zip archives, the zip archive contains a JavaScript that\r\ndownloads and installs ransomware on a victim’s computer.\r\nStatic Analysis\r\nThe ransomware loader is supplied with the following icon:\r\nGlobeImposter Ransomware Icon\r\nThe compilation timestamp tells the sample comes from 2016.\r\nHowever, it was first seen in-the-wild on December 4, 2017 according to Virustotal (MD5:\r\n2ca016fa98dd5227625befe9edfaba98).\r\nInstallation\r\nTo start itself after reboot:\r\n[HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce]\r\n\"BrowserUpdateCheck\" = \"C:\\Users\\\u003cUSER\u003e\\AppData\\Roaming\\\u003cRANSOMWARE_NAME\u003e.exe\"\r\nThen the GlobeImposter creates the file\r\n‘AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7’ in %All Users%,\r\nwhere the name of the file is the 256-bit RC4 key used to decrypt the GlobeImposter’s config:\r\nDecryption of the payload\r\nThe GlobeImposter reads its encrypted image and decrypts itself by 32768(8000h)-byte blocks to the nsr3.tmp file\r\nin the %Temp% folder.\r\nIt extracts the System.dll (MD5: 3f176d1ee13b0d7d6bd92e1c7a0b9bae) that is a part of .NET framework to\r\n‘%Temp%\\nsp4.tmp\\’ folder.\r\nAlso, the GlobeImposter drops the file ‘LGU’ which is 67653 bytes in size (MD5:\r\neba731947245c854d71341a41de88260) with encrypted data to the Temp folder.\r\nhttps://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet\r\nPage 1 of 5\n\nConfig decryption\r\nThe GlobeImposter contains the string used to calculate the SHA256 hash, which is the key to extract the config\r\ndata.\r\nCONFIG_KEY = SHA256\r\n(“B231B717113902E9F788C7BD0C7ABABAF9B173A7F6B432076B82CBCB7C8149F3C\r\nF2F55A8CBDD772BFB4E0A319AE1ED45EB4AA6C4C6BAC6E11014BDD47D3BDDA0DC\r\n19B7F217C8A1B33BCAE7681020436907BEC78F0E47AD285D72B8E5466C83114CC\r\n40D44A081A604F05E2D147DFC3AEDD9A7B69D493176EFD7D8B0D264D1A2BFB14F\r\nECC1378A8D90547A2F6CA070E90F95FCAA54FA26FA5D63DC84C6C3780D4BB41BE\r\n4B608343D72DDE52DE40A2A06D56482454F9DF058E65C3F02CBE1B77289F39EC5\r\nBDBC58653A35476A205CD7C75A40D34ECFA56DA0A6433E141F0D9AC60DFBAA21E\r\n8AEB5658168253A315F298EDBC7850D3D79BB1E15FEF367F5BD27BF8D” )\r\n=\r\nAE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7\r\nThe GlobeImposter’s payload decrypts its config, represented by the following C pseudo code:\r\nTo decrypt the config data, GlobeImposter uses RC4 cipher with 256-bit key.\r\nOnce decrypted, the extracted config looks as follows:\r\nThe config contains:\r\nThe folder exclusions list\r\nWindows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender, ESET, COMODO,\r\nWindows NT, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows\r\nPhone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows\r\nSidebar, WindowsPowerShell, Temp, NVIDIA Corporation, Microsoft.NET, Internet Explorer, McAfee, Avira,\r\nspytech software, sysconfig, Avast, Dr.Web, Symantec, Symantec_Client_Security, system volume information,\r\nAVG, Microsoft Shared, Common Files, Outlook Express, Movie Maker, Chrome, Mozilla Firefox, Opera,\r\nYandexBrowser, ntldr, Wsus, ProgramData.\r\nThe file extensions exclusion list\r\n                .$er,.4db,.4dd,.4d,.4mp,.abs,.abx,.accdb,.accdc\r\nThe string to be added as an extension to encrypted files. The string already contains a dot which means the\r\nencrypted file will look like: ‘picture.png..doc’.\r\n.doc\r\nThe file name with the ransom note\r\nhttps://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet\r\nPage 2 of 5\n\nRead___ME.html\r\nAnother 512 bytes of data of unknown purpose mostly filled with zeros\r\nThe last decrypted block is a ransom note:\r\nThe list of the processes to be terminated is stored outside of the encrypted config, in the payload body.\r\nKey file\r\nThe ransomware loads the hard-coded 256-bit key (HCK265) from itself, which is used to generate AES key and\r\nIV for files encryption:\r\n67 E6 09 6A 85 AE 67 BB  72 F3 6E 3C 3A F5 4F A5\r\n7F 52 0E 51 8C 68 05 9B  AB D9 83 1F 19 CD E0 5B\r\nThe key file with the session keys is created in %All users%. The name of the file is the config decryption key.\r\nThe key file contains auxiliary data that can be used to decrypt the user’s files. The values are encrypted using\r\nAES-256-CBC six times with different IVs.\r\nFile encryption\r\nThe GlobeImposter ransomware encrypts local, removable, and network drives in parallel by running multiple\r\nthreads. Once the key file is created in %All Users%, it starts a new thread for every available drive type to\r\nencrypt files on.\r\nBefore encryption, it checks:\r\nif the last five letters of the current file’s name to ‘..doc’\r\nif the file name is equal to ‘Read___ME.html’\r\nif the file name is equal to the key file name\r\n‘AE09C984DF6E74640B3271EADB5DD7C65FDE806235B2CDA478E0EFA9129C09E7’\r\nif the file name is equal to the ransomware file name\r\nTo encrypt the user’s files, the ransomware uses an AES-256-CBC algorithm with no padding.\r\nTo encrypt a file, the GlobeImposter ransomware calculates IV (16 bytes) and AES key (32 bytes) based on the\r\nhardcoded 32-byte key (HCK256) mentioned above.\r\nCalculating AES 16-byte IV to encrypt a file:\r\nAES IV for file encryption is the first 16 bytes of the hash calculated using a modified SHA-256 algorithm from\r\nthe HCK256.\r\nThe last byte of IV is substituted with the four least significant bits of the size of the file to be encrypted:\r\nIV[15] = File size \u0026 8000000Fh4\r\nhttps://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet\r\nPage 3 of 5\n\nThe AES 32-byte key is generated based on hashing HCK256 with two different SHA256-like functions run in the\r\nloop 8192 times:\r\nThe cryptolocker reads a block of data from an original file and rewrites its content with the block of encrypted\r\ndata in the same file. The block size is 8192 bytes if a file is bigger than that.\r\nThe added encryption footer contains:\r\n32 bytes - the encrypted AES-256 key\r\n16 bytes - IV\r\n768 bytes - the encrypted auxiliary data from the key file that can be used to decrypt a file\r\nTo release the user’s files locked by running processes, the cryptolocker terminates the following processes with\r\nthe help of the ‘taskkill’ command:\r\noutlook\r\nssms\r\npostgre\r\n1c\r\nSQL\r\nexcel\r\nword\r\nRemoving backups\r\nThe GlobeImposter creates and executes the batch file shown below to:\r\nremove shadow copies of the files\r\ndisable remote desktop capability\r\nclean the Windows events log\r\n@echo off\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nreg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f\r\nreg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\" /f\r\nreg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Servers\"\r\ncd %userprofile%\\documents\\\r\nattrib Default.rdp -s -h\r\ndel Default.rdp\r\nfor /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\"\r\nhttps://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet\r\nPage 4 of 5\n\nRansom note\r\nThe GlobeImposter creates the ransom note file ‘Read___ME.html’.\r\nCommunication with C\u0026C\r\nIPs:\r\n137.254.120.31\r\n74.220.219.67 (active)\r\nDecryption service\r\nhttp://n224ezvhg4sgyamb.onion/sup.php\r\nhttp://n224ezvhg4sgyamb.onion/open.php\r\nThe available version of the GlobeImposter decryptor by Emsisoft cannot decrypt files encrypted by this version\r\nof the GlobeImposter ransomware [https://www.nomoreransom.org/en/decryption-tools.html].\r\nAlarming trend and Acronis protection\r\nWith this sample, once again we see that new ransomware actively deletes backup files in Windows. In addition,\r\nthere is no working decryptor, which means if your files are encrypted and no proper backup was made, the data is\r\nmost likely lost. Again, the good news is that Acronis Active Protection successfully blocks the GlobeImposter\r\nransomware, recovering files in a matter of seconds.\r\nSo when choosing your backup software, be sure to pick wisely if you want to keep your data safe.\r\nIf you’re looking for a backup solution that come with the industry’s only built-in active protection against\r\nransomware, consider Acronis True Image and Acronis Cyber Backup. Both include technology that will detect\r\nthe threat, block the attack, and restore the affected data.\r\nSource: https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet\r\nhttps://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet"
	],
	"report_names": [
		"globeimposter-ransomware-holiday-gift-necurs-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775433973,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/676e40d4d78f06e3a8340dee198475aef6184d25.pdf",
		"text": "https://archive.orkl.eu/676e40d4d78f06e3a8340dee198475aef6184d25.txt",
		"img": "https://archive.orkl.eu/676e40d4d78f06e3a8340dee198475aef6184d25.jpg"
	}
}