Alert: Globelmposter Ransomware Break Out Again!

24/08/2018 09:34:33

The Sangfor Security Team recently discovered that a number of customers have been subject to an attack from a particular type of ransomware. Research shows that this malicious file is a new variant of the Globelmposter1.0 ransomware.

Globelmposter1.0 ransomware first appeared in May 2017 and spread via phishing emails. Variants were quickly detected and encrypted files were decrypted. February 2018 saw Globelmposter2.0 ransomware attacks breaking out in major hospitals using various attack methods and spread via social engineering, RDP brute-force or bundled malware. Constantly changing file extensions make it particularly difficult to detect, with the earliest encrypted files following the file extensions .TECHNO, .DOC, .CHAK, .FREEMAN and .TRUE and the most recent extensions showing .FREEMAN, ALC0, ALC02, ALC03 and .RESERVE.

The most recent variants of the Globelmposter2.0 ransomware family adopt a RSA 2048 algorithm and thus far have no tools that are capable of decrypting the encrypted files, which are appended with file extension .RESERVE.

Globelmposter2.0 drops a html file with the name of "how_to_back_files" in the corresponding directory with victim ID and contact information of the hacker contained in the file.

Sample Analysis

This ransomware is essentially a win32.exe program which was encoded on 3 April 2018.
When victims run the program it self-duplicates to the %LOCALAPPDATA% or %APPDATA% directory and the original file is deleted.


After the ransomware self-duplicates to the %LOCALAPPDATA% or %APPDATA% directory, it begins to add itself into the registry as: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\BrowserUpdateCheck. Subsequently it enables itself to automatically run when the compromised computer starts up or restarts.

Encrypted Objects

Globelmposter2.0 encrypts 3 types of disks: removable disks, hard disks and cloud disks.

It will bypass some files during the encryption process to ensure the normal running of the compromised system. The following are folders to be encrypted:

Encryption Method

Globelmposter2.0 generates a private key based on a RSA algorithm and encrypts files with a hard-coded public key. After encryption, the ciphertext is converted to ASCII code, which is then written into %PUBLIC% or %ALLUSERSPROFILE% variable paths. The generated private key with ID information appears as follows:

Globelmposter2.0 encrypts files with a RSA algorithm and a set of 128-bit key pairs are generated randomly by CryptGenRandom. Next, the hard-coded 256-bit public key generates a corresponding private key. Finally, a victim ID is generated and the ransomware encrypts corresponding folders and appends encrypted files with file extensions. The file containing the victim ID will be written to the encrypted folder as shown below:

The ransomware decrypts bat files and stores them in a temporary folder running the following script:

Latent Behaviors

The ransomware decrypts bat files and stores them in a temporary folder running the following script:

Bat script functions:
1. Delete disk volume shadow
2. Delete information of remote desktop connection
3. Delete logs
Globelmposter2.0 occasionally fails to delete logs due to grammar errors in the script.


1. Change and strengthen your computer password and do not use the same password for different computers to avoid compromising a series of computers.

2. Disable RDP if RDP is unnecessary for your business. When a computer is attacked, Sangfor NGAF recommends blocking port 3389 and other ports to stop ransomware from spreading.

3. Turn on Sangfor NGAF brute-force attack prevention by enabling Rule 11080051, 11080027 and 11080016.

4. For individuals & non-Sangfor NGAF users, Sangfor has developed a new anti-bot tool that can be downloaded by clicking here.

Sangfor Anti-Bot Tool is a malware removal tool that combines local & and cloud removals. This tool has a powerful cloud virus database that can identify most active virus threats on the existing network. It also has a powerful scanning engine for the local machine. Through static analysis of programs and dynamic virtual execution of malicious files, it will clean up the system and make it malware-free.

Our Social Networks

Global Service Center: