Danger level:  
  (99/100)

Globe Imposter virus. How to delete? (Removal tutorial)

removal by Linas Kiguolis - - | Type: Ransomware
12

Globe Imposter ransomware keeps attacking victims by releasing new versions of the virus

Globe Imposter virus is a crypto-malware designed to encrypt victim’s data on the infected computer. It is also known as FakeGlobe since the malware is just a copy of well-known Globe ransomware. Analysts reported that the newest variants of the file-encrypting virus took advantage of Rig exploit kit for distribution. After it finishes its job, the extension marks are appended at the end of the file-name.

Developers of the ransomware carefully considered the methods they are going to use — once the malware is inside, it encrypts data on victim’s computer and tries to intimidate him or her by urging to pay a ransom for a decryption key. Shortly after, the ransom note delivers instructions on how to recover the files. 

Typically, criminals demand an enormous amount of money in order to retrieve access to the valuable information stored on the computer. The victims are insisted on paying it in Bitcoins and urged to do it within a specified period of time, or the demanded amount will increase. Do not motivate the cybercriminals by paying the ransom — focus on the GlobeImposter removal instead.

Besides, do not try to search for alternative decryption tools online since hackers use sophisticated RSA and AES algorithms to encode data. In other terms, even IT specialists cannot generate the decryption key. There are several versions which can be circumvented by the free GlobeImposter decrypter although, the rest of them block the access to your files permanently.

Thus, if you do not want to suffer from financial losses, remove Globe Imposter malware with the help of Reimage or Malwarebytes Anti Malware and do not spend considerable amounts of money on useless decryption tools. Be aware that after the malware elimination your files will still remain encoded. But do not panic — you can retrieve your data from backup copies stored in the cloud or try alternative recovery methods.

As mentioned above, Globe Imposter virus has numerous versions and all of them use different:

  1. Extension marks;
  2. Bitcoin accounts and e-mail addresses;
  3. Instruction files.

You can check the detailed list of differences mentioned above. Be aware that criminals might create new variants of GlobeImposter, and this list will expand. Thus, you can expect for regular updates.

The ransom note might appear in any of these forms depending on the Globe Imposter version:

  • READ_IT.;
  • here_your_files!.html);
  • !SOS!.html;
  • HOW_OPEN_FILES.hta;
  • how_to_back_files.html;
  • RECOVER-FILES.html;
  • !back_files!.html;
  • Note Filename: support.html;
  • Read___ME.html;
  • !free_files!.html;
  • #HOW_DECRYPT_FILES#.html.

Also, criminals change the file extension with each new variant release:

.apk, .doc, .490, .ILLNEST, .SKUNK, .nWcrypt, .BONUM, .LEGO, .UNLIS, .GRANNY, .911,.reaGAN, .YAYA .needkeys, .[d7516@ya.ru], .foSTE, .3ncrypt3d, .hNcrypt, .legally, .keepcalm, .plin, .fix, .515, .crypt, .paycyka, .pizdec, .wallet, .vdulm, .2cXpCihgsVxB3, .[byd@india.com]SON, .troy, .Virginprotection, .ACTUM, .JEEP, .GRAFF, .trump, .rumblegoodboy, .goro, .au1crypt, .s1crypt, .nCrypt, .medal, .4035, .clinTON, .D2550A49BF52DFC23F2C013C5, .zuzya, .BRT92, .725, .ocean, .rose, .GOTHAM, .HAPP, .txt, .0402, .skunk, .492, .astra, .write_me_[btc2017@india.com], .VAPE, .726, .490, .coded, and .f41o1.

As mentioned above, the attackers may provide an e-mail for contact purpose:

  • crypt@troysecure.me;
  • troysecure@yandex.by;
  • chines34@protonmail.ch;
  • decryptmyfiles@inbox.ru;
  • garryweber@protonmail.ch;
  • write_me_[btc2017@india.com];
  • support24_02@india.com;
  • happydaayz@aol.com;
  • btc.me@india.com;
  • asnaeb7@yahoo.com;
  • i-absolutus@bigmir.net;
  • keepcalmpls@india.com;
  • 511_made@cyber-wizard.com;
  • crazyfoot_granny@india.com;
  • laborotoria@protonmail.ch;
  • filesopen@yahoo.com;openingfill@hotmail.com;
  • strongman@india.com;
  • Bill_Clinton@derpymail.org;
  • saruman@india.com;
  • Donald_Trump@derpymail.org;
  • support24@india.com;
  • oceannew_vb@protonmail.com;
  • asnaeb7@india.com;
  • troysecure@yahoo.com;
  • _master@india.com;
  • happydaayz@aol.com;
  • crazyfoot_granny@aol.com.

Experts recently discovered new versions of the file-encrypting virus

.Trump extension virus. This version does not specifically indicate the demanded amount of money. However, urges to contact via Donald_Trump@derpymail.org and happydaayz@aol.com e-mails. The key characteristic of this malware is that it uses an extremely long identification code. Taking into account the previous versions of the ransomware, it is quite unusual.

.GRANNY file extension malware. The virus was first discovered in August and analysts spotted it spreading via infected online gaming websites or torrent files as a trojan horse. To increase the amounts of illegal profits, this time attackers provide crazyfoot_granny@aol.com and crazyfoot_granny@india.com and offer to decrypt one selected file for free.

{saruman7@india.com}.BRT92 file malware. Security experts noticed several improvements in this variant — hackers altered e-mail domains (saruman@india.com) and changed the name of the instructions file to #DECRYPT_FILES#.html. Other features of the malware remain the same.

Several other versions emerged as well, which append .UNLIS, .LEGO, .D2550A49BF52DFC23F2C013C5 and .zuzya file extensions. However, any significant changes were not spotted, leaving just to have a good laugh at the creativity of the hackers — one version uses .clinTON extensions and urges to contact the perpetrators via Bill_Clinton@derpymail.org e-mail address.

Short introduction to the versions of Globe Imposter ransomware

.f41o1 file extension malware. Even if this variant doesn’t provide an official e-mail address, it displays an .onion address for further information on the READ_IT.html ransom note. Attackers promise to submit the decryption tool in 48 hours. However, trusting the criminals is not a wise decision.

.astra file extension virus. The undecryptable malware does not show any significant updates, except uses another extension mark. Also, victims receive a here_your_files!.html “ransom note” and are further instructed to contact the criminals for the decryptor.

.coded file extension ransomware. Experts noticed two major changes in this new version of the Globe Imposter. Cybercriminals changed the appended extension mark to .coded and created new e-mail addresses for payment information. Now computer users are insisted on contacting the attackers via decoder_master@aol.com and decoder_master@india.com e-mail accounts.

.crypt file extension virus. The developers switched to malspam campaign instead of sticking to the old distribution methods. BlankSlate (previously distributing BTCWare Aleta malware) was spotted spreading Globe Imposter via e-mail attachments.

The letter contains nothing, except a ZIP file named EMAIL_[Random Digits]_[Recipient's Name].zip. This attachment holds two more files: the first is another .zip file inside of which is a JavaScript file. Both of them are named using random characters and used to infect the system.

The JavaScript file is designed to download an executable file of the ransomware, which starts data encryption as soon as it reaches the system. Afterwards, appends .crypt extension and demands a ransom. Sadly, but IT specialists have not released a decryption tool yet.

.492 file extension malware. This variant was also not significantly updated — once installed, it starts to encode data and uses .492 file extension. A victim receives a ransom note named here_your_files.html via web browser window. It states that the security issue is the reason why computer’s data was encrypted, and he or she should directly contact the attackers by writing to file_free@protonmail.com or koreajoin69@tutanota.com.

.490 file extension virus. IT specialists still cannot help to recover the files for those who encountered this version of Globe Imposter. It appends .490 extension at the end of the file-name and drops a !free_files!.html file considered as a ransom note.

.726 file extension ransomware. It is slightly different than .725 version. Criminals tend to change the file extensions continuously. This time the victim discovers a RECOVER-FILES-726.html as a ransom note. The perpetrators demand to pay 0.37 bitcoin to receive a decryption tool.

.725 file extension malware. Victims report that this version demands 0.19 Bitcoin to retrieve the encrypted data. It also tries to confuse people by different .725 extension mark. The ransom note name also is changed to RECOVER-FILES.HTML. Besides, the only way to regain access to the corrupted files is to use backup copies.

.Write_me_[btc2017@india.com] file extension virus. The file-encrypting virus acts similarly, just its design differs. The files on the targeted computer are encrypted and marked by the .Write_me_[btc2017@india.com] file extension. Shortly after, the ransom is demanded in order to retrieve compromised data. Victims are urged to use btc2017@india.com email address to contact the cybercriminals.

A1Lock virus. Experts say that this version of GlobeImposter virus use several extension marks and indicate different e-mail addresses after encrypting data. Users reported .707, .rose and .troy extensions appended at the end of the file-name. Besides, the name of the ransom note might also be different: How_to_back_files.html or RECOVER-FILES.html.

These files contain information on how to retrieve data and provides troysecure@yandex.by, i-absolutus@bigmir.net, crypt@troysecure.me, and troysecure@yahoo.com e-mail addresses for contacting purposes.

.ocean file extension ransomware. IT security experts noticed this variant spreading in 2017. The developers have changed the extension mark and the name of the ransom note once again — now it appends .ocean and drops a !back_files!.html file.

Victims are intimidated to contact the attackers via oceannew_vb@protonmail.com e-mail address as soon as possible, or the amount of money necessary for a decryption tool will increase.

.{email}.BRT92 file extension virus. Victims who encounter .{email}.BRT92 file extension mark might immediately identify that it is a new version of Globe Imposter. It provides its victims with a #HOW_DECRYPT_FILES#.html file to instruct on how to decrypt the files. Criminals indicate asnaeb7@india.com and asnaeb7@yahoo.com address to stay in touch with the victims.

.goro file extension malware. The virus is also known as a Trojan[Ransom]/Win32.Purgen, Arcabit Trojan.Ransom.GlobeImposter.1 or at least anti-virus systems identify it that way. It takes advantage of weak Remote Desktop Protocols (RDP) to infiltrate the system and launch a goro.exe process.

Experts claim that this version is inextricably linked to Wallet virus from Dharma ransomware family. Cybercriminals indicate mk.goro@aol.com e-mail address to contact for further information.

.au1crypt file extension virus. This version employs AES and RSA algorithms to encrypt files on the targeted computer. Developers present their demands on the how_to_back_files.html ransom note. Moreover, they provide summerteam@tuta.io and summerteam@india.com e-mail addresses and urge to contact in order to retrieve the access to encrypted files.

.s1crypt file extension ransomware. Security software recognizes this variant of GlobeImposter as Trojan.Generic.DB7505. It also encrypts data and demands to pay an enormous 2 Bitcoins ransom. Victims are provided with detailed guidelines on how to purchase Bitcoins and an laboratoria@protonmail.ch e-mail address in case they have further questions. All of this information is stored in the how_to_back_files.html ransom note.

Wallet GlobeImposter virus. The version is discovered in May 2017. It uses .wallet extension to encrypt data. Besides, the key feature is that it deletes Shadow Volume Copies in order to prevent victims from recovering their data.

Hackers display a how_to_back_files.html file, which acts as a ransom note and offers to contact them via BM-2cXpCihgsVxB31uLjALsCzAwt5xyxr467U[@]bitmessage.ch e-mail address.

KeepCalm virus. Crypto-malware uses complex algorithms to encrypt files on victim’s computer and later, asks to pay a ransom for a decryption tool. It can be recognized from the .keepcalm extension mark it appends at the end of the file-name.

Shortly after, it drops a HOW_TO_BACK_FILES.html and indicates keepcalmpls@india.com e-mail. The victim has to send a screenshot of the ransom payment together with his or her authentic ID number to receive a decryptor.

GlobeImposter German version. This version is developed explicitly for German-speaking targets. The ransom note is displayed only in German, and attackers demand 0.5 Bitcoin for a decryption tool. To authorize the transaction victims are asked to send a snapshot of the payment to decryptmyfiles@inbox.ru e-mail address.

GlobeImposter 2.0 virus. You can recognize this version by .FIX file extension mark. Reports state that is spreads via spam e-mail attachments or even drive-by downloads once the victim clicks on the malicious ads.

Unfortunately, due to the sophisticated algorithms used, GlobeImposter 2.0 decrypt is unavailable. Thus, we encourage you to always keep backups in case of ransomware.

Recent Updates on the evolution of the file-encrypting virus

Update August 1, 2017. IT technicians from malware-traffic-analysis.net website have spotted new e-mail addresses used to distribute the malware. You can check the list of them with the indicated specific subject titles and attachment names below:

donotreply@npphotography.co.uk/Payment-59559/P59559.zip
donotreply@ritson.globalnet.co.uk/Payment 0451/P0451.zip
donotreply@corbypress.co.uk/Payment Receipt#03836/P03836.zip
donotreply@gecko-accountancy.co.uk/Receipt#374/P374.zip
donotreply@bowker61.fastmail.co.uk/Receipt 78522/P78522.zip
donotreply@satorieurope.co.uk/Receipt#6011/P6011.zip
donotreply@vintageplanters.co.uk/Payment Receipt#039/P039.zip
donotreply@jennieturnerconsulting.co.uk/Payment Receipt_72537/P72537.zip
donotreply@everythingcctv.co.uk/Payment_1479/P1479.zip
donotreply@anytackle.co.uk/Receipt-70724/P70724.zip

Update August 14, 2017. Developers of the emerging versions of Globe Imposter try to confuse the victims by changing the extension marks appended to the files. Starting from 8th of August, experts noticed new extensions released: .rumblegoodboy, .0402, .txt, .BONUM, .trump, .JEEP, .GRAFF, .MIXI and .ACTUM.

Moreover, hackers also changed some names of the ransom notes you can encounter:
!SOS!.html or Read_ME.html files providing the information on how to retrieve your data.

Update September 15, 2017. Hackers release new variants of the Globe Imposter monthly. Even though there are no significant modifications, the newest extensions discovered are:
.YAYA .needkeys, .SKUNK, .nWcrypt, .[d7516@ya.ru], .foSTE, .490, .ILLNEST.

Besides, the crooks seem to be very interested in US politics as well. They presented a variant appending .reaGan file extension and dropping a Ronald_Reagan@derpymail.org email address for contact purposes.

Finally, the security software is able to detect the ransomware as Generic.Ransom, Ransom:Win32/Ergop.A, Trojan.Purgen.ba, or GlobeImposter.56A888. Yet, criminals improved the versions to impersonate legitimate processes such as cmd.exe, btm1.exe or  encv.exe. This way people are confused and unable to recognize the malware.

Experts also noticed that the file-encrypting virus starts SHLWAPI.dll,USER32.dll, ADVAPI32.dll, KERNEL32.dll, or ole32.dll commands after the infiltration. Thus you should be aware of the possible threats and protect your files.

Update September 20th, 2017. IT security experts spotted that the Globe Imposter is distributed via the crypto-malware campaign that is inextricably linked to well-known Locky ransomware. It spreads malicious spam messages containing the infected link to infiltrate the virus on victim’s computer. Corrupted e-mail holds an attachment of a .7z file, which is programmed to download Locky or Globe Imposter ransomware once the computer user clicks on it.

Besides, this is not the only method hackers employ to spread the ransomware. IT professionals warn users about empty e-mail letters that contain .doc file that is designed to download the executable of the ransomware from the remote server. Thus, avoid clicking on suspicious attachments and always make sure to use a reliable security software.

Update October 18, 2017. Security experts inform people about the new Globe Imposter version, which appends .4035 extension to the file-name. Criminals started using a Rig exploit kit to distribute the ransomware via malicious websites. If you ever encounter a redirect to a suspicious site, close the tab/window immediately and avoid visiting it in the future.

Malspam campaigns is the primary ransomware distribution method employed by the hackers

Developers create spam e-mails containing an infected attachment to spread the ransomware worldwide. They usually trick people to click on them due to the genuine appearance. Be aware that the malicious letter might impersonate infamous companies or even governmental institutions to lure you into clicking on it.

Hackers often create a subject title that states about the valuable document sent to you. Do not get tricked opening it. Instead, delete the e-mail immediately and purchase a professional anti-malware application to avoid the ransomware attack.

Moreover, GlobeImposter virus might be distributed via malware-laden advertisements on suspicious websites or drive-by downloads. Therefore, avoid clicking on ads despite how legitimate they look. You should be extremely careful since even accidental clicks may trigger an automatic installation of high-risk computer infections.

Besides, download updates for Windows, Adobe Flash Player or other programs only from official websites. Hackers take advantage of gullible people and spread the ransomware via fake upgrades.

Tips to protect your computer from malware attack:

  • Use a professional security system and regularly update it;
  • Always backup your files and store them in the cloud;
  • Avoid clicking on sponsored ads that may appear as pop-ups, banners, etc.;
  • Download applications only from verified developers and scan them beforehand;
  • If you receive a vague message from your friend, contact him or her in person to make sure that social media account is not hacked and used to distribute computer infections.

Get rid of Globe Imposter virus

In order to remove Globe Imposter virus, you should employ a powerful anti-malware program. Developers invest considerable amounts of money to make sure that the elimination of the virus won’t be easy. Thus, choose wisely and do not get tricked by scammers, who offer useless and expensive security software online. Always read reviews and opt for the best one.

Besides, you should be aware that Globe Imposter decryption is a very complex process. Once you delete the virus, your files might be permanently damaged. You could try several alternative recovery methods, but some versions of this malware are undecryptable.

Moreover, you can choose to start a manual Globe Imposter removal. We have prepared detailed instructions below to make sure that you do it correctly. Do not try to get rid of it by yourself since it may lead to even more damage to your system. Carefully follow the guide below to protect your computer.

We might promote some affiliate products. An entire disclosure is provided in our Terms and Conditions. By Downloading any recommended Anti-spyware software to uninstall Globe Imposter virus you accept our privacy policy and terms and conditions.
try it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Computer security experts recommend using Reimage to uninstall Globe Imposter virus. Reimage scans the entire computer system and checks whether it is infected with spyware/malware or not. If you want to remove computer threats and secure your computer system, you should consider buying the licensed version of Reimage.

You can find more details about this program in Reimage review.

You can find more details about this program in Reimage review.
Press mentions on Reimage
Press mentions on Reimage

Manual Globe Imposter Virus Removal Instructions:

Eliminate Globe Imposter using Safe Mode with Networking

You can detect malware using Reimage.
You need to purchase a licensed version of it to remove threats.
More details about Reimage.

Globe Imposter ransomware is designed to complicate the removal process. Therefore, it may block the installation of the professional anti-malware system. Follow the steps below to avoid that:

  • Step 1: Restart your computer in Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Safe Mode with Networking from the list Choose 'Safe Mode with Networking' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Networking from the list of options in Startup Settings. Choose 'Enable Safe Mode with Networking' option
  • Step 2: Remove Globe Imposter

    Sign in to your account and launch any Internet browser. Download a legitimate anti-malware software, for instance, Reimage. Make sure you update it to the latest version and then run a full system scan with it to detect and eliminate all malicious components of the ransomware to remove Globe Imposter completely.

If your ransomware does not allow you to access Safe Mode with Networking, please follow the instructions provided below.

Eliminate Globe Imposter using System Restore

You can detect malware using Reimage.
You need to purchase a licensed version of it to remove threats.
More details about Reimage.

Ransomware is the most malicious type of malware that you can encounter. Hackers tend to protect it from removal. Thus, FakeGlobe might not allow you to download and launch a security system. You should carefully follow the instructions below to safely remove the file-encrypting virus:

  • Step 1: Restart your computer in Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Go to Start Shutdown Restart OK.
    2. As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
    3. Choose Command Prompt from the list Choose 'Safe Mode with Command Prompt' option

    Windows 10 / Windows 8
    1. Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
    2. Then select Troubleshoot Advanced options Startup Settings and click Restart.
    3. Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings. Choose 'Enable Safe Mode with Command Prompt' option
  • Step 2: Perform a system restore to recover files and settings
    1. When the Command Prompt window appears, type in cd restore and press Enter. Type 'cd restore' without quotes and hit 'Enter'
    2. Then type rstrui.exe and hit Enter.. Type 'rstrui.exe' without quotes and hit 'Enter'
    3. In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Globe Imposter and then click on the Next button again. When 'System Restore' wizard comes up, click 'Next'. Choose a preferable restore point and click 'Next'
    4. To start system restore, click Yes. Hit 'Yes' and start system restore
    After restoring the computer system to an antecedent date, install and check your computer with Reimage to uncover any remains of Globe Imposter.

Bonus: Restore your files

Using the tutorial provided above you should be able to eliminate Globe Imposter from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.

As mentioned above, not every version of the ransomware is decryptable. Thus, Emsisoft tool might not help you to retrieve your files back. But don't worry you can try alternative recovery methods provided below:

There are a couple of methods you can apply to recover data encrypted by Globe Imposter:

Data Recovery Pro might help you to decrypt your data

Originally, it is designed to recover data if you delete it accidentally. However, you should give it a try as well:

  • Download Data Recovery Pro (https://novirus.uk/download/data-recovery-pro-setup.exe);
  • Install Data Recovery on your computer following the steps indicated in the software’s Setup;
  • Run the program to scan your device for the data encrypted by Globe Imposter ransomware;
  • Recover the data.

ShadowExplorer may be useful

Make sure that the crypto-malware didn't delete the Shadow Volume Copies. if not, you definitely should use it to recover corrupted files:

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Install Shadow Explorer on your computer following the instructions in the software’s Setup Wizard;
  • Run the program. Navigate to the menu on the top-left corner and select a disk containing your encrypted files. Look through the available folders;
  • When you find the folder you want to recover, right-click it and select “Export”. Also, choose where the recovered data will be stored.

Free Globe Imposter decryptor is released

Emsisoft has officially released a free decryption tool you can download from the authorized website.

It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Globe Imposter and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

About the author

Linas Kiguolis
Linas Kiguolis

If you found this free removal tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.

Contact Linas Kiguolis
About the company Esolutions

Source: https://www.2-spyware.com/remove-globe-imposter-ransomware-virus.html

Uninstall guides in different languages