Globe Imposter ransomware keeps attacking victims by releasing new versions of the virus
Globe Imposter virus is a crypto-malware designed to encrypt victim’s data on the infected computer. It is also known as FakeGlobe since the malware is just a copy of well-known Globe ransomware. Analysts reported that the newest variants of the file-encrypting virus took advantage of Rig exploit kit for distribution. After it finishes its job, the extension marks are appended at the end of the file-name.
Developers of the ransomware carefully considered the methods they are going to use — once the malware is inside, it encrypts data on victim’s computer and tries to intimidate him or her by urging to pay a ransom for a decryption key. Shortly after, the ransom note delivers instructions on how to recover the files.
Typically, criminals demand an enormous amount of money in order to retrieve access to the valuable information stored on the computer. The victims are insisted on paying it in Bitcoins and urged to do it within a specified period of time, or the demanded amount will increase. Do not motivate the cybercriminals by paying the ransom — focus on the GlobeImposter removal instead.
Besides, do not try to search for alternative decryption tools online since hackers use sophisticated RSA and AES algorithms to encode data. In other terms, even IT specialists cannot generate the decryption key. There are several versions which can be circumvented by the free GlobeImposter decrypter although, the rest of them block the access to your files permanently.
Thus, if you do not want to suffer from financial losses, remove Globe Imposter malware with the help of FortectIntego or Malwarebytes and do not spend considerable amounts of money on useless decryption tools. Be aware that after the malware elimination your files will still remain encoded. But do not panic — you can retrieve your data from backup copies stored in the cloud or try alternative recovery methods.
As mentioned above, Globe Imposter virus has numerous versions and all of them use different:
Extension marks;
Bitcoin accounts and e-mail addresses;
Instruction files.
You can check the detailed list of differences mentioned above. Be aware that criminals might create new variants of GlobeImposter, and this list will expand. Thus, you can expect for regular updates.
The ransom note might appear in any of these forms depending on the Globe Imposter version:
READ_IT.;
here_your_files!.html);
!SOS!.html;
HOW_OPEN_FILES.hta;
how_to_back_files.html;
RECOVER-FILES.html;
!back_files!.html;
Note Filename: support.html;
Read___ME.html;
!free_files!.html;
#HOW_DECRYPT_FILES#.html.
Also, criminals change the file extension with each new variant release:
As mentioned above, the attackers may provide an e-mail for contact purpose:
crypt@troysecure.me;
troysecure@yandex.by;
chines34@protonmail.ch;
decryptmyfiles@inbox.ru;
garryweber@protonmail.ch;
write_me_[btc2017@india.com];
support24_02@india.com;
happydaayz@aol.com;
btc.me@india.com;
asnaeb7@yahoo.com;
i-absolutus@bigmir.net;
keepcalmpls@india.com;
511_made@cyber-wizard.com;
crazyfoot_granny@india.com;
laborotoria@protonmail.ch;
filesopen@yahoo.com;openingfill@hotmail.com;
strongman@india.com;
Bill_Clinton@derpymail.org;
saruman@india.com;
Donald_Trump@derpymail.org;
support24@india.com;
oceannew_vb@protonmail.com;
asnaeb7@india.com;
troysecure@yahoo.com;
_master@india.com;
happydaayz@aol.com;
crazyfoot_granny@aol.com.
Globe imposter ransomware is also known as FakeGlobe and encrypts data on victimized computer.
Experts recently discovered new versions of the file-encrypting virus
.Trump extension virus. This version does not specifically indicate the demanded amount of money. However, urges to contact via Donald_Trump@derpymail.org and happydaayz@aol.com e-mails. The key characteristic of this malware is that it uses an extremely long identification code. Taking into account the previous versions of the ransomware, it is quite unusual.
.GRANNY file extension malware. The virus was first discovered in August and analysts spotted it spreading via infected online gaming websites or torrent files as a trojan horse. To increase the amounts of illegal profits, this time attackers provide crazyfoot_granny@aol.com and crazyfoot_granny@india.com and offer to decrypt one selected file for free.
{saruman7@india.com}.BRT92 file malware. Security experts noticed several improvements in this variant — hackers altered e-mail domains (saruman@india.com) and changed the name of the instructions file to #DECRYPT_FILES#.html. Other features of the malware remain the same.
Several other versions emerged as well, which append .UNLIS, .LEGO, .D2550A49BF52DFC23F2C013C5 and .zuzya file extensions. However, any significant changes were not spotted, leaving just to have a good laugh at the creativity of the hackers — one version uses .clinTON extensions and urges to contact the perpetrators via Bill_Clinton@derpymail.org e-mail address.
Short introduction to the versions of Globe Imposter ransomware
.f41o1 file extension malware. Even if this variant doesn’t provide an official e-mail address, it displays an .onion address for further information on the READ_IT.html ransom note. Attackers promise to submit the decryption tool in 48 hours. However, trusting the criminals is not a wise decision.
.astra file extension virus. The undecryptable malware does not show any significant updates, except uses another extension mark. Also, victims receive a here_your_files!.html “ransom note” and are further instructed to contact the criminals for the decryptor.
.coded file extension ransomware. Experts noticed two major changes in this new version of the Globe Imposter. Cybercriminals changed the appended extension mark to .coded and created new e-mail addresses for payment information. Now computer users are insisted on contacting the attackers via decoder_master@aol.com and decoder_master@india.com e-mail accounts.
.crypt file extension virus. The developers switched to malspam campaign instead of sticking to the old distribution methods. BlankSlate (previously distributing BTCWare Aleta malware) was spotted spreading Globe Imposter via e-mail attachments.
The letter contains nothing, except a ZIP file named EMAIL_[Random Digits]_[Recipient's Name].zip. This attachment holds two more files: the first is another .zip file inside of which is a JavaScript file. Both of them are named using random characters and used to infect the system.
The JavaScript file is designed to download an executable file of the ransomware, which starts data encryption as soon as it reaches the system. Afterwards, appends .crypt extension and demands a ransom. Sadly, but IT specialists have not released a decryption tool yet.
.492 file extension malware. This variant was also not significantly updated — once installed, it starts to encode data and uses .492 file extension. A victim receives a ransom note named here_your_files.html via web browser window. It states that the security issue is the reason why computer’s data was encrypted, and he or she should directly contact the attackers by writing to file_free@protonmail.com or koreajoin69@tutanota.com.
.490 file extension virus. IT specialists still cannot help to recover the files for those who encountered this version of Globe Imposter. It appends .490 extension at the end of the file-name and drops a !free_files!.html file considered as a ransom note.
.726 file extension ransomware. It is slightly different than .725 version. Criminals tend to change the file extensions continuously. This time the victim discovers a RECOVER-FILES-726.html as a ransom note. The perpetrators demand to pay 0.37 bitcoin to receive a decryption tool.
.725 file extension malware. Victims report that this version demands 0.19 Bitcoin to retrieve the encrypted data. It also tries to confuse people by different .725 extension mark. The ransom note name also is changed to RECOVER-FILES.HTML. Besides, the only way to regain access to the corrupted files is to use backup copies.
.Write_me_[btc2017@india.com] file extension virus. The file-encrypting virus acts similarly, just its design differs. The files on the targeted computer are encrypted and marked by the .Write_me_[btc2017@india.com] file extension. Shortly after, the ransom is demanded in order to retrieve compromised data. Victims are urged to use btc2017@india.com email address to contact the cybercriminals.
A1Lock virus. Experts say that this version of GlobeImposter virus use several extension marks and indicate different e-mail addresses after encrypting data. Users reported .707, .rose and .troy extensions appended at the end of the file-name. Besides, the name of the ransom note might also be different: How_to_back_files.html or RECOVER-FILES.html.
These files contain information on how to retrieve data and provides troysecure@yandex.by, i-absolutus@bigmir.net, crypt@troysecure.me, and troysecure@yahoo.com e-mail addresses for contacting purposes.
.ocean file extension ransomware. IT security experts noticed this variant spreading in 2017. The developers have changed the extension mark and the name of the ransom note once again — now it appends .ocean and drops a !back_files!.html file.
Victims are intimidated to contact the attackers via oceannew_vb@protonmail.com e-mail address as soon as possible, or the amount of money necessary for a decryption tool will increase.
.{email}.BRT92 file extension virus. Victims who encounter .{email}.BRT92 file extension mark might immediately identify that it is a new version of Globe Imposter. It provides its victims with a #HOW_DECRYPT_FILES#.html file to instruct on how to decrypt the files. Criminals indicate asnaeb7@india.com and asnaeb7@yahoo.com address to stay in touch with the victims.
.goro file extension malware. The virus is also known as a Trojan[Ransom]/Win32.Purgen, Arcabit Trojan.Ransom.GlobeImposter.1 or at least anti-virus systems identify it that way. It takes advantage of weak Remote Desktop Protocols (RDP) to infiltrate the system and launch a goro.exe process.
Experts claim that this version is inextricably linked to Wallet virus from Dharma ransomware family. Cybercriminals indicate mk.goro@aol.com e-mail address to contact for further information.
.au1crypt file extension virus. This version employs AES and RSA algorithms to encrypt files on the targeted computer. Developers present their demands on the how_to_back_files.html ransom note. Moreover, they provide summerteam@tuta.io and summerteam@india.com e-mail addresses and urge to contact in order to retrieve the access to encrypted files.
.s1crypt file extension ransomware. Security software recognizes this variant of GlobeImposter as Trojan.Generic.DB7505. It also encrypts data and demands to pay an enormous 2 Bitcoins ransom. Victims are provided with detailed guidelines on how to purchase Bitcoins and an laboratoria@protonmail.ch e-mail address in case they have further questions. All of this information is stored in the how_to_back_files.html ransom note.
Wallet GlobeImposter virus. The version is discovered in May 2017. It uses .wallet extension to encrypt data. Besides, the key feature is that it deletes Shadow Volume Copies in order to prevent victims from recovering their data.
Hackers display a how_to_back_files.html file, which acts as a ransom note and offers to contact them via BM-2cXpCihgsVxB31uLjALsCzAwt5xyxr467U[@]bitmessage.ch e-mail address.
KeepCalm virus. Crypto-malware uses complex algorithms to encrypt files on victim’s computer and later, asks to pay a ransom for a decryption tool. It can be recognized from the .keepcalm extension mark it appends at the end of the file-name.
Shortly after, it drops a HOW_TO_BACK_FILES.html and indicates keepcalmpls@india.com e-mail. The victim has to send a screenshot of the ransom payment together with his or her authentic ID number to receive a decryptor.
GlobeImposter German version. This version is developed explicitly for German-speaking targets. The ransom note is displayed only in German, and attackers demand 0.5 Bitcoin for a decryption tool. To authorize the transaction victims are asked to send a snapshot of the payment to decryptmyfiles@inbox.ru e-mail address.
GlobeImposter 2.0 virus. You can recognize this version by .FIX file extension mark. Reports state that is spreads via spam e-mail attachments or even drive-by downloads once the victim clicks on the malicious ads.
Unfortunately, due to the sophisticated algorithms used, GlobeImposter 2.0 decrypt is unavailable. Thus, we encourage you to always keep backups in case of ransomware.
Recent Updates on the evolution of the file-encrypting virus
Update August 1, 2017. IT technicians from malware-traffic-analysis.net website have spotted new e-mail addresses used to distribute the malware. You can check the list of them with the indicated specific subject titles and attachment names below:
Update August 14, 2017. Developers of the emerging versions of Globe Imposter try to confuse the victims by changing the extension marks appended to the files. Starting from 8th of August, experts noticed new extensions released: .rumblegoodboy, .0402, .txt, .BONUM, .trump, .JEEP, .GRAFF, .MIXI and .ACTUM.
Moreover, hackers also changed some names of the ransom notes you can encounter: !SOS!.html or Read_ME.html files providing the information on how to retrieve your data.
Update September 15, 2017. Hackers release new variants of the Globe Imposter monthly. Even though there are no significant modifications, the newest extensions discovered are: .YAYA .needkeys, .SKUNK, .nWcrypt, .[d7516@ya.ru], .foSTE, .490, .ILLNEST.
Besides, the crooks seem to be very interested in US politics as well. They presented a variant appending .reaGan file extension and dropping a Ronald_Reagan@derpymail.org email address for contact purposes.
Finally, the security software is able to detect the ransomware as Generic.Ransom, Ransom:Win32/Ergop.A, Trojan.Purgen.ba, or GlobeImposter.56A888. Yet, criminals improved the versions to impersonate legitimate processes such as cmd.exe, btm1.exe or encv.exe. This way people are confused and unable to recognize the malware.
Experts also noticed that the file-encrypting virus starts SHLWAPI.dll,USER32.dll, ADVAPI32.dll, KERNEL32.dll, or ole32.dll commands after the infiltration. Thus you should be aware of the possible threats and protect your files.
Update September 20th, 2017. IT security experts spotted that the Globe Imposter is distributed via the crypto-malware campaign that is inextricably linked to well-known Locky ransomware. It spreads malicious spam messages containing the infected link to infiltrate the virus on victim’s computer. Corrupted e-mail holds an attachment of a .7z file, which is programmed to download Locky or Globe Imposter ransomware once the computer user clicks on it.
Besides, this is not the only method hackers employ to spread the ransomware. IT professionals warn users about empty e-mail letters that contain .doc file that is designed to download the executable of the ransomware from the remote server. Thus, avoid clicking on suspicious attachments and always make sure to use a reliable security software.
Update October 18, 2017. Security experts inform people about the new Globe Imposter version, which appends .4035 extension to the file-name. Criminals started using a Rig exploit kit to distribute the ransomware via malicious websites. If you ever encounter a redirect to a suspicious site, close the tab/window immediately and avoid visiting it in the future.
Malspam campaigns is the primary ransomware distribution method employed by the hackers
Developers create spam e-mails containing an infected attachment to spread the ransomware worldwide. They usually trick people to click on them due to the genuine appearance. Be aware that the malicious letter might impersonate infamous companies or even governmental institutions to lure you into clicking on it.
Hackers often create a subject title that states about the valuable document sent to you. Do not get tricked opening it. Instead, delete the e-mail immediately and purchase a professional anti-malware application to avoid the ransomware attack.
Moreover, GlobeImposter virus might be distributed via malware-laden advertisements on suspicious websites or drive-by downloads. Therefore, avoid clicking on ads despite how legitimate they look. You should be extremely careful since even accidental clicks may trigger an automatic installation of high-risk computer infections.
Besides, download updates for Windows, Adobe Flash Player or other programs only from official websites. Hackers take advantage of gullible people and spread the ransomware via fake upgrades.
Tips to protect your computer from malware attack:
Use a professional security system and regularly update it;
Always backup your files and store them in the cloud;
Avoid clicking on sponsored ads that may appear as pop-ups, banners, etc.;
Download applications only from verified developers and scan them beforehand;
If you receive a vague message from your friend, contact him or her in person to make sure that social media account is not hacked and used to distribute computer infections.
Get rid of Globe Imposter virus
In order to remove Globe Imposter virus, you should employ a powerful anti-malware program. Developers invest considerable amounts of money to make sure that the elimination of the virus won’t be easy. Thus, choose wisely and do not get tricked by scammers, who offer useless and expensive security software online. Always read reviews and opt for the best one.
Besides, you should be aware that Globe Imposter decryption is a very complex process. Once you delete the virus, your files might be permanently damaged. You could try several alternative recovery methods, but some versions of this malware are undecryptable.
Moreover, you can choose to start a manual Globe Imposter removal. We have prepared detailed instructions below to make sure that you do it correctly. Do not try to get rid of it by yourself since it may lead to even more damage to your system. Carefully follow the guide below to protect your computer.
Compatible with Microsoft Windows
Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Globe Imposter ransomware is designed to complicate the removal process. Therefore, it may block the installation of the professional anti-malware system. Follow the steps below to avoid that:
Important! → The elimination guide can appear too difficult if you are not tech-savvy. It requires some knowledge of computer processes since it includes system changes that need to be performed correctly. You need to take steps carefully and follow the guide avoiding any issues created due to improper setting changes. Automatic methods might suit you better if you find the guide too difficult.
Step 1. Launch Safe Mode with Networking
Safe Mode environment offers better results of manual virus removal
Windows 7 / Vista / XP
Go to Start.
Choose Shutdown, then Restart, and OK.
When your computer boots, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) a few times until you see the Advanced Boot Options window.
Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
Right-click the Start button and choose Settings.
Scroll down to find Update & Security.
On the left, pick Recovery.
Scroll to find Advanced Startup section.
Click Restart now.
Choose Troubleshoot.
Go to Advanced options.
Select Startup Settings.
Press Restart.
Choose 5) Enable Safe Mode with Networking.
Step 2. End questionable processes
You can rely on Windows Task Manager that finds all the random processes in the background. When the intruder is triggering any processes, you can shut them down:
Press Ctrl + Shift + Esc keys to open Windows Task Manager.
Click on More details.
Scroll down to Background processes.
Look for anything suspicious.
Right-click and select Open file location.
Go back to the Process tab, right-click and pick End Task.
Delete the contents of the malicious folder.
Step 3. Check the program in Startup
Press Ctrl + Shift + Esc on your keyboard again.
Go to the Startup tab.
Right-click on the suspicious app and pick Disable.
Step 4. Find and eliminate virus files
Data related to the infection can be hidden in various places. Follow the steps and you can find them:
Type in Disk Cleanup in Windows search and press Enter.
Select the drive (C: is your main drive by default and is likely to be the one that has malicious files in) you want to clean.
Scroll through the Files to delete and select the following:
Temporary Internet Files Downloads Recycle Bin Temporary files
Pick Clean up system files.
You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData% %LocalAppData% %ProgramData% %WinDir%
After you are finished, reboot the PC in normal mode.
Eliminate Globe Imposter using System Restore
Ransomware is the most malicious type of malware that you can encounter. Hackers tend to protect it from removal. Thus, FakeGlobe might not allow you to download and launch a security system. You should carefully follow the instructions below to safely remove the file-encrypting virus:
Step 1: Restart your computer in Safe Mode with Command Prompt Windows 7 / Vista / XP
Go to Start→Shutdown→Restart→OK.
As soon as your computer starts, start pressing F8 key repeatedly before the Windows logo shows up.
Choose Command Prompt from the list
Windows 10 / Windows 8
Click on the Power button at the Windows login screen, and then press and hold Shift key on your keyboard. Then click Restart.
Then select Troubleshoot→Advanced options→Startup Settings and click Restart.
Once your computer starts, select Enable Safe Mode with Command Prompt from the list of options in Startup Settings.
Step 2: Perform a system restore to recover files and settings
When the Command Prompt window appears, type in cd restore and press Enter.
Then type rstrui.exe and hit Enter..
In a new window that shows up, click the Next button and choose a restore point that was created before the infiltration of Globe Imposter and then click on the Next button again.
To start system restore, click Yes.
After restoring the computer system to an antecedent date, install and check your computer with FortectIntego to uncover any remains of Globe Imposter.
Bonus: Restore your files
Using the tutorial provided above you should be able to eliminate Globe Imposter from the infected device. novirus.uk team has also prepared an in-depth data recovery guide which you will also find above.
As mentioned above, not every version of the ransomware is decryptable. Thus, Emsisoft tool might not help you to retrieve your files back. But don't worry you can try alternative recovery methods provided below:
There are a couple of methods you can apply to recover data encrypted by Globe Imposter:
Install Shadow Explorer on your computer following the instructions in the software’s Setup Wizard;
Run the program. Navigate to the menu on the top-left corner and select a disk containing your encrypted files. Look through the available folders;
When you find the folder you want to recover, right-click it and select “Export”. Also, choose where the recovered data will be stored.
Free Globe Imposter decryptor is released
Emsisoft has officially released a free decryption tool you can download from the authorized website.
It is strongly recommended to take precautions and secure your computer from malware attacks. To protect your PC from Globe Imposter and other dangerous viruses, you should install and keep a powerful malware removal tool, for instance, FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes.
How to prevent from getting ransomware
Securely connect to your website wherever you are
Sometimes you may need to log in to a content management system or server more often, especially if you are actively working on a blog, website, or different project that needs constant maintenance or that requires frequent content updates or other changes. Avoiding this problem can be easy if you choose a dedicated/fixed IP address. It's a static IP address that only belongs to a specific device and does not change when you are in different locations.
VPN service providers such as Private Internet Access can help you with these settings. This tool can help you control your online reputation and successfully manage your projects wherever you are. It is important to prevent different IP addresses from connecting to your website. With a dedicated/fixed IP address, VPN service, and secure access to a content management system, your project will remain secure.
Reduce the threat of viruses by backing up your data
Due to their own careless behavior, computer users can suffer various losses caused by cyber infections. Viruses can affect the functionality of the software or directly corrupt data on your system by encrypting it. These problems can disrupt the system and cause you to lose personal data permanently. There is no such threat if you have the latest backups, as you can easily recover lost data and get back to work.
It is recommended to update the backups in parallel each time the system is modified. This way, you will be able to access the latest saved data after an unexpected virus attack or system failure. By having the latest copies of important documents and projects, you will avoid serious inconveniences. File backups are especially useful if malware attacks your system unexpectedly. We recommend using the Data Recovery Pro program to restore the system.
If you found this free tutorial helpful, please consider making a donation to support us. Even the smallest amount will be appreciated and will help to keep this service alive.
