From eb90e99dafa94521ca3538bafd41277c66ce2c16 Mon Sep 17 00:00:00 2001
From: rmkml <rmkml@yahoo.fr>
Date: Wed, 10 Apr 2019 22:37:54 +0200
Subject: [PATCH] Add Globe Imposter Ransomware

---
 clusters/ransomware.json | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index 6ab28c0..f61e664 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -13062,7 +13062,19 @@
       },
       "uuid": "8cfa694b-3e6b-410a-828f-037d981870b2",
       "value": "Jokeroo"
+    },
+    {
+      "description": "During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight this ransomware looks very similar to other ransomware samples and uses common techniques such as process hollowing. However, deeper inspection showed that like LockPoS, which was analyzed by CyberBit, GlobeImposter too bypasses user-mode hooks by directly invoking system calls. Given this evasion technique is being leveraged by new malware samples may indicate that this is a beginning of a trend aiming to bypass user-mode security products.",
+      "meta": {
+        "payment-method": "Bitcoin",
+        "price": "0.35",
+        "refs": [
+          "https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html"
+        ]
+      },
+      "uuid": "8cfa694c-2e6b-310a-728f-027d981870b2",
+      "value": "GlobeImposter"
     }
   ],
-  "version": 54
+  "version": 55
 }