Skip to content
Ransomware group

Globeimposter

GlobeImposter is a ransomware family, also referred to as LOLKEK, active since at least 2016 and named for its attempt to mimic Globe ransomware payloads.

Profile source: Mallory opens in a new tab

Globeimposter

Family profile

GlobeImposter is a ransomware family, also referred to as LOLKEK, active since at least 2016 and named for its attempt to mimic Globe ransomware payloads. It has been distributed via phishing emails, malicious spam campaigns, and RDP brute-force intrusions rather than worm-like self-propagation. Multiple sources in the content associate large-scale GlobeImposter delivery with TA505, including campaigns beginning in mid-to-late 2017 and heavy TA505 use in December 2017; Necurs is also referenced as a distribution platform for GlobeImposter. The malware has also been discussed in connection with TA505 alongside Dridex and Locky campaigns.

Behaviorally, GlobeImposter scans available drives and files for encryption targets, modifies the Windows registry for persistence, and may disable antivirus or other OS security features and prevent system restoration. The analyzed 2018 variant was compiled in Visual C++, used an embedded AES implementation instead of standard cryptographic APIs, dynamically generated encrypted file extensions, saved command-line commands into a batch file, removed RDP login logs, and eventually deleted itself to reduce forensic artifacts. Some variants encrypt .exe and .dll files, making them more destructive and potentially disrupting analysis tools.

A 2021 GlobeImposter variant described in the content is substantially more complex and stealth-focused. It is a heavily obfuscated .NET sample, likely written in VB.NET, that stores encrypted payloads inside image resources, decodes them in memory, and loads additional stages via Assembly.Load and LoadLibrary. The execution chain includes delayed execution with Thread.Sleep and multiple resource-backed DLL stages, with the later-stage module containing file-encryption functionality using SymmetricAlgorithm and CryptoStream. The content states this variant relies on multi-stage in-memory execution, heavy obfuscation, and encoded resource-based payload delivery to evade static analysis and complicate reverse engineering. RDP brute force is specifically cited as an initial access method for GlobeImposter.

The content also notes that PSCrypt is based on GlobeImposter and has very similar functionality. High-confidence indicators from the analyzed samples include SHA-256 750984dff0d13260e17e9bb1a3482f1bae834d6e0de1bcd199028748a9f998dc for a 2018 GlobeImposter sample and SHA-256 5c3ce324ded0942df4b4cbf80cf195263f105daf5c729255c628bb3a4f8ab3de for a 2021 variant.

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
TA505

the messages and the delivery suggest they were sent by threat actor TA505, known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.

MITRE ATT&CK

Globeimposter in ATT&CK

13 distinct techniques

Reporting

Research mentioning Globeimposter

Apr 7
Iss4cf0ng Github

[Studying] Inside GlobeImposter 2021: Multi-Stage Payload & In-Memory Execution Analysis | ISSAC/iss4cf0ng's blog

This article presents a deeper analysis of one of the variants of GlobeImposter family, released in 2021.

Apr 6
Iss4cf0ng Github

[Studying] Analyzing GlobeImposter 2018 | ISSAC/iss4cf0ng's blog

This article presents a reverse engineering analysis of GlobeImposter (aka LOLKEK), focusing on its encryption mechanism, persistence, and anti-forensics behavior.

Oct 23
Recorded Future

Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals

...existing ransomware families such as LockBit, CryLock, Xorist, Proton, GlobeImposter, Chaos, Makop, MedusaLocker, Djvu, Dharma, and more.

Jun 30
Cisa Advisories

Dridex Malware | CISA

Proofpoint, “Threat Actor Profile: TA505, From Dridex to GlobeImposter,”

Apr 2
Deepinstinct

New ServHelper Variant Employs Excel 4.0 Macro to drop Singed Payload

...associated with the infamous Dridex banking malware, the GlobeIimposter ransomware...

Jun 8
Proofpoint Threat Insight

TA505 shifts with the times | Proofpoint US

Of the 34 campaigns the group sent... 24 were distributing GlobeImposter ransomware.

May 7
Bartblaze

Blaze's Security Blog: PSCrypt ransomware: back in business

As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.

Mar 7
Proofpoint Threat Insight

Leaked Source Code Turned Into FlawedAmmyy Malware | Proofpoint US

the messages and the delivery suggest they were sent by threat actor TA505, known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.