This site uses cookies to enhance your experience.  By continuing to visit this website, you consent to the use of these cookies. Click here to learn more about our privacy policy.

[Alert] New GlobeImposter Ransomware Variant in Healthcare Industry

2019-07-09
21
The Sangfor Security Team has recently discovered a new variant of the Globelmposter ransomware targeting large hospitals and healthcare institutions, identified by appending encrypted files with the Greek inspired Ares666, Zues666, Aphrodite666 and Apollon666.
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 01

Alert New GlobeImposter Ransomware Variant in Healthcare Industry 02


Making use of the names of the well-known Greek Gods and Goddesses of the sky, love, light and war to identify their product implies that more variants will likely be released in the future – with an unending parade of Gods available in Greek mythology. The Sangfor Security team noticed each extension was appended with a “god name+666” and has named the strain of variants of Globelmposter, “Globelmposter Olympian.” Cyber security experts agree we are likely to see more strains and more names of well-known Olympic Gods in future ransomware, as Globelmposter has a history of creating strains of ransomware with a common theme among the names of the variants.
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 03
The Sangfor Security Team has past experience tracking the Globelmposter strain named after the 12 animals of the Chinese Zodiac calendar, appended with the formula “zodiac sign + 4444,” (i.e. .Dragon444,.Pig4444, .Tiger4444, Snake4444, Rooster4444, .Rat4444, .Horse4444, Dog4444, .Monkey4444, .Rabit4444 and .Goat4444) which in Chinese is a highly unlucky number signifying death, just as 666 is in Western cultures.

After analysis, The Sangfor Security team confirmed that this latest variant evolved from GlobeImposter 3.0 with no decryption method available as yet. More than one hospital server has been compromised and business seriously impacted.

Asian Healthcare institutions have been a primary target of Globelmposter in every major industry since February 2018 – while this strain has thus far focused on the healthcare industry, a lofty target considering it accounts for almost half (47.4%) of all industries.
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 04
The Healthcare industry is required to maintain high business availability. Traditionally, ransomware and system unavailability can cause immeasurable damage to healthcare institutions and the lives under their care. Hospitals often choose to pay the ransom requested when presented with the option of losing patients or losing money.

Although the ransom virus spreads in a variety of ways and its technique is constantly upgraded, primarily using RSA and AES to encrypt files. Consequently, the encrypted file can often not be decrypted.

The virus spreads through social engineering, RDP brute-force attacks, and bundling with malicious programs to encrypt the files of infected hosts, generate a ransom note and demand a ransom. Sangfor security team is paying close attention to the development of the virus family and has performed an in-depth analysis on the discovered variant sample.
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 05
Analysis
In order to keep itself running properly, the virus first shuts down Windows Defender:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 06
Subsequently, it creates an auto-startup item named WindowsUpdateCheck:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 07
By executing commands from the command line, it deletes disk shadows and stops the database from offering services:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 08
Volumes are then traversed and mounted:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 09
System reserved volumes are also mounted followed by traversed disk files:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 10
Excluded files and directories:
“.”, “..”, windows, bootmgr, pagefile.sys, boot, ids.txt, NTUSER.DAT, PerfLogs
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 11
Excluded files include those with any of the following extensions:
.dll, .lnk, .ini and .sys
 
Other files are encrypted and appended with Ares666:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 12
The ransom note file (HOW TO BACK YOUR FILES.txt) is generated:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 13
Reading:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 14
After file encryption, the auto-startup item is deleted:
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 15
Commands are executed again through command line to delete disk volumes and remote desktop connection data and clear system logs.
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 16
Finally, the virus file is deleted automatically.
Alert New GlobeImposter Ransomware Variant in Healthcare Industry 17
Decryption Tool
Currently there is no decryption tool for those victims. To minimize damage, you should isolate infected hosts and disconnect them from network. We recommend you to perform a virus scan and removal as soon as possible.

Ransomware Detection
1. Sangfor offers customers and users a free anti-malware software to scan for and remove the ransomware virus. Simply download it from http://go.sangfor.com/edr-tool-20180824.
2. Sangfor NGAF is capable of detecting and removing this ransomware virus.

Protection
The Sangfor Security Team recommends you take steps to prevent infection, as there is no known decryption method currently – as is the case for many viruses.
1. Fix the vulnerability quickly by installing the corresponding patch on the host.
2. Back up critical data files regularly to other hosts or storage devices.
3. Do not click on any email attachment from unknown sources and do not download any software from untrusted websites.
4. Disable unnecessary file sharing.
5. Strengthen your computer password and do not use the same passwords for multiple computers to avoid compromising a series of computers.
6. Disable RDP if it is unnecessary for your business. When computers are attacked, use Sangfor NGAF or EDR to block port 3389 and stop the virus from spreading.
7. Sangfor NGAF and EDR can prevent brute-force attacks. Turn on brute-force attack prevention on NGAF and enable Rules 11080051, 11080027 and 11080016. Turn on brute-force attack prevention on Sangfor EDR.
8. For Sangfor NGAF customers, update NGAF to version 8.0.5 and enable AI-based Sangfor Engine Zero to achieve the most comprehensive protection.
9. Deploy Sangfor security products and connect to cloud-based Sangfor Neural-X to detect new threats.
10. Perform a security scan and virus removal on the entire network to enhance network security. We recommend Sangfor NGAF and EDR to detect, prevent and protect your internal network.