Jump to content

Question about very LARGE files (VHD/ VHDX) with GlobeImposter 2 Variant


Ant
 Share

Recommended Posts

I recently got involved with a GlobeImposter 2 infection on a Hyper-V cluster - whereby the host computers on the cluster were infected, including all of the Virtual Hard Drive (VHD) files for their virtual machines, but none of the actual virtual machines appear infected. Most of their backups were offsite, so other than the hassle of the restore, everything is "OK". However, this has got me with two questions I cannot seem to Google:

  1. GlobeImposter 2 appears to mostly infect / encrypt the first few MB of a file and then move on. Is that true? If so, in this particular case, would any of the available VHD repair tools be able to help out? From our purpose, this is essentially a corrupt virtual hard drive at this point.

  2. There is some concern that data may have been sent to attackers. This is over 16TB of virtual hard drives. Does GlobeImposter 2 send data offsite? It appears to "just" infect and corrupt locally.

Thanks so much!

--
Ant

Link to comment
Share on other sites

Hello

GlobeImposter 2.0 Ransomware uses AES and encrypts 0x2000 blocks (encrypt, skip, encrypt, etc.). If they haven't changed it...

The name GlobeImposter was given in the ID-Ransomware ransomware identification service due to the ransomware appropriating a ransom note from the Globe family. The first variants appeared in December 2016.
Purpose: to intimidate victims, confuse researchers, discredit decryption programs issued for the Globe family. All the Globe imitators that are not decrypted by the decryption utilities released for Globe 1-2-3 were code-named GlobeImposter, and after that - GlobeImposter 2.0.
Now the most famous imposter-imitator has its own imitators, and some of the extortionists use its code to carry out their own attacks and extortion. There are several that are identified by antivirus as Globeimposter, but in fact, are other ransomware. 

To say for sure in your case, need to investigate the incident. Emsisoft can assist you on weekdays from Monday to Friday.

Link to comment
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...