GlobeImposter ransomware victims find themselves abandoned by their extortionists

If you didn’t have a backup, you’re screwed.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

GlobeImposter ransomware victims find themselves abandoned by their extortionists

A wave of the GlobeImposter 2.0 ransomware infected the computers of innocent internet users, and told them to visit a Tor website in order to pay up and have their files decrypted.

Globeimposter ransomware message

Nothing so unusual in that, but as researchers at Coveware report, these particular victims have been left in the lurch because the masterminds behind the attack appear to have abandoned the recovery website:

As is standard, the site offers free decryption of a single file. However, unlike GandCrab, the victim is not able to upload the file to the site. Instead they are directed to a support ticketing system. The ticketing system allows the user to upload a file and send a short message with their contact information. In both live cases and tests, this support function is not working. The tickets are submitted with confirms sent to the email address input. You can even log back in to check the status of these tickets. The problem is no one replies. There is no indication that the support function is being monitored

Support request

So, if victims cannot trial the decryption service for free on one file, will they have better luck if they simply pay the ransom? Unfortunately, according to Coveware, they won’t.

When testing the actual ransom payment function and confirmation, errors where thrown when trying to confirm that a payment had been sent, further demonstrating that the site has been abandoned.

Other GlobeImposter ransomware attacks have provided email addresses for victims to correspond with, and these reportedly have resulted in users successfully making contact with their extortionists and getting their files decrypted.

However, for whatever reason (it’s unclear if they are unwilling or unable), those hackers who monitor those email addresses won’t be any help to victims who were directed to the Tor site.

Sign up to our free newsletter.
Security news, advice, and tips.

So, if you don’t have a secure backup of your data before it was encrypted by the ransomware, you’re left clutching at straws that someday the extortionists might update and fix their webpage.

Don’t wait until it’s too late to think about your backup regime.

Listen to this episode of the “Smashing Security” podcast to learn more about backups.

Smashing Security #043: 'Backups - a necessary evil?'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “GlobeImposter ransomware victims find themselves abandoned by their extortionists”

  1. Ronald Whiteside

    Every month I do an "incremental" backup followed by a full standalone backup. This takes about 1-1/2 for each of the 4 machines at my house. The result is redundant backups where prior standalone + incremental = new standalone. I backup to a 4TB WD My Book over USB 3. That drive is never left on the network. I keep a disk image for each machine on the My Book. Worst case is burn the bootable image then run a standalone restore.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.