the messages and the delivery suggest they were sent by threat actor TA505, known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.
Globeimposter
GlobeImposter is a ransomware family, also referred to as LOLKEK, active since at least 2016 and named for its attempt to mimic Globe ransomware payloads.
Profile source: Mallory opens in a new tabGlobeimposter
Family profile
GlobeImposter is a ransomware family, also referred to as LOLKEK, active since at least 2016 and named for its attempt to mimic Globe ransomware payloads. It has been distributed via phishing emails, malicious spam campaigns, and RDP brute-force intrusions rather than worm-like self-propagation. Multiple sources in the content associate large-scale GlobeImposter delivery with TA505, including campaigns beginning in mid-to-late 2017 and heavy TA505 use in December 2017; Necurs is also referenced as a distribution platform for GlobeImposter. The malware has also been discussed in connection with TA505 alongside Dridex and Locky campaigns.
Behaviorally, GlobeImposter scans available drives and files for encryption targets, modifies the Windows registry for persistence, and may disable antivirus or other OS security features and prevent system restoration. The analyzed 2018 variant was compiled in Visual C++, used an embedded AES implementation instead of standard cryptographic APIs, dynamically generated encrypted file extensions, saved command-line commands into a batch file, removed RDP login logs, and eventually deleted itself to reduce forensic artifacts. Some variants encrypt .exe and .dll files, making them more destructive and potentially disrupting analysis tools.
A 2021 GlobeImposter variant described in the content is substantially more complex and stealth-focused. It is a heavily obfuscated .NET sample, likely written in VB.NET, that stores encrypted payloads inside image resources, decodes them in memory, and loads additional stages via Assembly.Load and LoadLibrary. The execution chain includes delayed execution with Thread.Sleep and multiple resource-backed DLL stages, with the later-stage module containing file-encryption functionality using SymmetricAlgorithm and CryptoStream. The content states this variant relies on multi-stage in-memory execution, heavy obfuscation, and encoded resource-based payload delivery to evade static analysis and complicate reverse engineering. RDP brute force is specifically cited as an initial access method for GlobeImposter.
The content also notes that PSCrypt is based on GlobeImposter and has very similar functionality. High-confidence indicators from the analyzed samples include SHA-256 750984dff0d13260e17e9bb1a3482f1bae834d6e0de1bcd199028748a9f998dc for a 2018 GlobeImposter sample and SHA-256 5c3ce324ded0942df4b4cbf80cf195263f105daf5c729255c628bb3a4f8ab3de for a 2021 variant.
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingMITRE ATT&CK
Globeimposter in ATT&CK
13 distinct techniquesTechniques
13 techniquesReporting
Research mentioning Globeimposter
[Studying] Inside GlobeImposter 2021: Multi-Stage Payload & In-Memory Execution Analysis | ISSAC/iss4cf0ng's blog
This article presents a deeper analysis of one of the variants of GlobeImposter family, released in 2021.
[Studying] Analyzing GlobeImposter 2018 | ISSAC/iss4cf0ng's blog
This article presents a reverse engineering analysis of GlobeImposter (aka LOLKEK), focusing on its encryption mechanism, persistence, and anti-forensics behavior.
Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals
...existing ransomware families such as LockBit, CryLock, Xorist, Proton, GlobeImposter, Chaos, Makop, MedusaLocker, Djvu, Dharma, and more.
Dridex Malware | CISA
Proofpoint, “Threat Actor Profile: TA505, From Dridex to GlobeImposter,”
New ServHelper Variant Employs Excel 4.0 Macro to drop Singed Payload
...associated with the infamous Dridex banking malware, the GlobeIimposter ransomware...
TA505 shifts with the times | Proofpoint US
Of the 34 campaigns the group sent... 24 were distributing GlobeImposter ransomware.
Blaze's Security Blog: PSCrypt ransomware: back in business
As mentioned earlier, PSCrypt is based on GlobeImposter and as such, has very similar functionality.
Leaked Source Code Turned Into FlawedAmmyy Malware | Proofpoint US
the messages and the delivery suggest they were sent by threat actor TA505, known for sending large-scale Dridex, Locky, and GlobeImposter campaigns, among others, over the last four years.