ASEC (AhnLab Security Emergency Response Center) has recently discovered the active distribution of the GlobeImposter ransomware. The threat actor behind MedusaLocker was the one who carried out the attack. Also, the cybercriminal installed Port Scanner and Mimikatz.


A. Nature of Attack

a. Installation of Ransomware

                Threat actors can use the obtained account credentials to log in to the system through Remote Desktop Protocol (RDP), allowing them to gain control over the system and perform malicious activities. The threat actors who install GlobeImposter are also assumed to use RDP as their attack vector.

b. Malware Used In The Attack Process

                The cybercriminals install various pieces of malware in the victim’s system. Most of the installed are scanners and account credential-stealing tools. 

                Upon full control of the victim’s machine, the installed tools are used to scan the network to check if the infected system is part of a network. If the system is part of a specific network, then the ransomware can perform internal reconnaissance and lateral movement in order to also encrypt the other systems on the network.

 c. GlobeImposter

GlobeImposter is a type of ransomware that uses the AES symmetric key algorithm for file encryption and a public/private RSA key algorithm for key encryption. Also, it is a type of ransomware that uses the AES symmetric key algorithm for file encryption and a public/private RSA key algorithm for key encryption. 

To maintain persistence, GlobeImposter first copies itself into the %LOCALAPPDATA% path before registering itself to the RunOnce key, allowing it to operate even after system reboots. A file that uses the SHA256 hash value of the threat actor’s private key as its name is created in the %PUBLIC% path. The key information is then encrypted and saved here. Afterward, files within the system are encrypted.


B. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • For the prevention of ransomware incidents, use a backup system that enables multiple saving of backups in case one of the backup copies contains files that are encrypted or infected. Test backups frequently to verify data integrity and functionality.
  • Make sure that all systems and firmware are patched.
  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
  • Use an anti-virus software and/or host-based detection tool running with the latest version to protect your data and devices.
  • In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.
  • For additional information, kindly refer to the official report,