The "Blank Slate" malspam campaign has switched fromdistributing the Aleta BTCware variant to distributing a GlobeImposter variant that appends the .crypt extension. This malspam campaign is called Blank Slate due to the lack of a subject line and message body in the spam emails. 

You can see an example of what a Blank Slate malspam email looks like below.

These malspam emails contain ZIP attachments that are named using the format EMAIL_[RandomNumbers]_[RecipientName].zip. Inside this zip file is another zip file with a name like [RandomNumbers].zip. This zip file then contains a random named obfuscated JS script. So an example attachment progression would be something like EMAIl_877821_Bleeping.zip -> 871231.zip -> msaSh.js.

When executed, this JS script will attempt to download a file called 1.dat, which is a actually an executable file, from one of two designated sites. An example of this JS installer can be seen below. 

[出自:jiwo.org]

Installer

An interesting characteristic of the current downloaded malware executable is that it is code signed using a certificate issued by thawte.

After the executable is downloaded, it will be executed to install whatever the current malware payload is. In this case the installed malware is a GlobeImposter variant that appends the .crypt extension to encrypted files.

Encrypted Folder

When GlobeImposter encrypts files it will also create a ransom note named !back_files!.html in each folder a file is encrypted.  This ransom note contains instructions to contact oceannew_vb@protonmail.com for payment instructions and the ransom amount.

Ransom Note

Unfortunately, at this time there is no way to decrypt GlobeImposter files for free. For support or help with this ransomware infection, you can ask in our dedicated GlobeImposter Ransomware Support topic.

IOCs

Crypt GlobeImposter Variant Hashes:

SHA256: 2df19df0a0b0c683c6cb9421bdad6e0bdb62bd6380cce4f75501cac653ca5be4

Crypt GlobeImposter Variant Associated Files:

!back_files!.html

Crypt GlobeImposter Variant Network Connections:

http://filmcoffee.win/support.php?f=1.dat
http://cabeiriscout.faith/support.php?f=1.dat
http://scenetavern.win/support.php?f=1.dat
http://hallvilla.win/support.php?f=1.dat

Crypt GlobeImposter Variant Ransom Note:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail oceannew_vb@protonmail.com in body of your message write your ID
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
https://localbitcoins.com/buy_bitcoins 
Also you can find other places to buy Bitcoins and beginners guide here: 
http://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Your personal ID
76 DC F5 69 B5 7B F2 22 57 84 37 D3 6C 74 EF 44
B7 D2 A3 C2 96 F9 7A BA 3D 65 08 8C F1 ED D0 D4
6A 0E DF 51 7C 96 93 64 AF E7 9A 8A B4 B3 B2 3A
9F 00 A7 4B 8A 11 98 8F 06 24 85 1D 5E DC 63 49
00 99 6D 51 E2 81 F7 88 C1 7A D7 42 96 56 54 82
BA F8 4F AF 40 E0 03 10 41 B6 20 43 C8 9C CD 9E
60 F7 FE 39 A7 47 25 34 F2 D2 4E 5E 6D 00 77 26
D8 EE A8 43 97 73 B9 94 85 51 13 92 3B 8A BF 94
23 17 55 C4 7D AE F9 CD D9 42 5F 86 6E 9C AD A8
51 0C 8A 53 F5 D4 01 4B DB 00 7C 45 02 01 ED 6C
F7 E3 F2 AF 21 6D E9 2C 9D 9A EA 85 44 AB 31 23
8B 0E 39 35 95 8D D1 C9 69 98 50 64 54 87 EF 3A
5A 7C C0 BD FC 84 FE B8 18 0C E7 7D 86 28 7B ED
7C 66 03 80 3F 02 BE C3 3B 48 21 8A E8 E3 AE 27
57 57 00 6C B0 20 E6 BF D8 14 1A FB 62 B7 9A 60
AB 41 35 8F 0C FA 25 E3 C9 9A 76 16 8C 87 79 DF