Globe Imposter ransomware virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - - | Type: Ransomware
12

Globe Imposter virus keeps changing every day

Globe Imposter virus

Globe Imposter is a ransomware-type virus which tries to look like the dangerous Globe ransomware. It encodes computer files so that the extortionists could sell the decryption key to their owners.[1] Once it is done with encrypting your files, the virus marks them with specific file extensions and requires writing to a provided email to contact ransomware developers.

GlobeImposter ransomware is known to be using a long list of different file extensions to mark encoded files. From time to time, the malware also changes the name of the ransom note.

Depending on the virus version, the ransomware can add one of the following extensions to encrypted files:

..txt, .0402, .BONUM, .ACTUM, .JEEP, .GRAFF, .trump, .rumblegoodboy, .goro, .au1crypt, .s1crypt, .nCrypt, .hNcrypt, .legally, .keepcalm, .plin, .fix, .515, .crypt, .paycyka, .pizdec, .wallet, .vdulm, .2cXpCihgsVxB3, .medal, .3ncrypt3d .[byd@india.com]SON, .troy, .Virginprotection, .BRT92, .725, .ocean, .rose, .GOTHAM, .HAPP, .write_me_[btc2017@india.com], .VAPE, .726, .490, .coded, .skunk, .492, and .astra.

Currently known names of GlobeImposter ransom notes (used by different virus' versions):

  • HOW_OPEN_FILES.hta;
  • how_to_back_files.html;
  • RECOVER-FILES.html;
  • !back_files!.html;
  • !free_files!.html;
  • #HOW_DECRYPT_FILES#.html;
  • here_your_files!.html).

Since the virus' authors rarely provides a name of the ransomware, security experts entitle them after file extensions they use or email addresses they provide. This way, ransomware victims can find help online easier.

Nevertheless, to make things more simple, all these parasites are similar so they all belong to Globe Impostor family. Some security experts tend to regard them as Fake Globe. We should point out that despite the fact that these viruses are only a copycat versions of the original parasite, by no means does it take away their destructiveness.

Repetitious reports by victims attacked by these viruses show that developers of the ransomware continuously change their contact details and provide different email or BitMessage addresses in the ransom notes, including:

  • write_me_[btc2017@india.com]
  • 511_made@cyber-wizard.com
  • btc.me@india.com
  • chines34@protonmail.ch
  • decryptmyfiles@inbox.ru
  • garryweber@protonmail.ch
  • keepcalmpls@india.com
  • happydaayz@aol.com
  • strongman@india.com
  • support24@india.com
  • support24_02@india.com
  • oceannew_vb@protonmail.com
  • asnaeb7@india.com
  • asnaeb7@yahoo.com
  • i-absolutus@bigmir.net
  • laborotoria@protonmail.ch
  • filesopen@yahoo.com
  • openingfill@hotmail.com
  • crypt@troysecure.me
  • troysecure@yandex.by
  • troysecure@yahoo.com
  • _master@india.com

Fake Globe virus can encrypt files just as successfully as any other ransomware that has been developed from scratch. Considering that there are numerous variants of this ransomware, we can only say that certain viruses tend to use RSA and AES ciphers which most ransomware use in their attacks [2]. While some versions of the malware can be decrypted, the rest remain extremely dangerous.

The security experts from Emsisoft have succeeded in creating a decryption tool the ransomware – a free GlobeImposter decrypter which helps ransomware victims recover their files and restore order on their computers [3]. At the moment of writing, this rescue tool has already been downloaded over 11844 times which only proves that the parasite is spreading rapidly and everyone should take action to protect their devices against it.

If it is already too late for you to take any preventative steps, you should scroll down to download the decrypter and learn how to remove Globe Imposter from your computer. We suggest using reputable antivirus software like Reimage to fix your device properly.

GlobeImposter imitates all the principal features of the original Globe virus. It appends certain file extensions to encrypted files and drops a .html or .hta files with the ransom payment directions to every affected folder on the computer. The good news is that the virus typically does not distort original file names, so they can easily be managed after the virus is decrypted.

You should also keep in mind that the virus developers will use scare tactics [4] to divert the user’s attention from other data recovery alternatives. So, you should always check whether the virus analysts have not come up with a free decrypter first. In this particular case, you are lucky, because you will be able to recover your files and complete Globe Imposter removal without facing serious consequences.

A recently updated list of Globe Imposter versions

GlobeImposter 2.0 virus. Another poorly made, yet slightly improved copy of the Globe ransomware. This particular version appends .FIX extensions to the victim’s files which it first encrypts with a powerful encryption algorithm, rendering them unreadable.

The virus infiltration strategies vary from the spam campaigns to drive-by downloads or deceptive ads. There is virtually no way of knowing when the virus is going to hit. Though the original GlobeImposter was successfully decrypted, malware experts did not manage to repeat their success with the version 2.0, and this parasite still remains undecryptable.

That's why it is always a good idea to keep backups of your most important files somewhere, where the malicious ransomware script could not reach and encrypt them. This way, you will always have the backup recovery plan in case your data gets corrupted.

GlobeImposter German version. To reach more victims, ransomware developers often adapt their malicious creations to target specific countries and speak to the users in their native language.

The German ransomware version is a perfect example of such strategy: the ransom note with explanations how to recover the encrypted files is presented in German. The criminals demand 0.5 Bitcoin for the data recovery key. After the money is transferred, the victims are required to send a screenshot of the transaction to an indicated email address – decryptmyfiles@inbox.ru.

But even the completion of all the criminals demands does not guarantee files will be recovered. The extortionists are unpredictable and can simply vanish with the money. That’s why we recommend to stay safe and carry out the GlobeImposter German version elimination instead.

KeepCalm virus. The virus encrypts and appends them with .keepcalm extensions which is where this virus gets its name from. The parasite runs a strong encryption script to render victim’s files unreadable and then offers to decrypt the files if only the victim is willing to pay a considerable amount of money.

The extortionists give a more detailed description of data recovery in the ransom note called HOW_TO_BACK_FILES.html. Essentially, the victims must contact the criminals via keepcalmpls@india.com email address. The ransom payment snapshot along with the personal ID must be sent to this email to receive the decryption tool. Unfortunately, this is not what normally happens.

On the opposite the criminals tend to vanish as soon as they have the money in their pockets, leaving victims stranded with a bunch of undecryptable information. In such a case, all you can do is remove KeepCalm from the infected device and to bypass the encryption in some other, safer ways.

Wallet GlobeImposter virus. At the beginning of May 2017, a new version of the fake Globe virus was detected. This time, it that uses .wallet file extensions in order to spoof Dharma ransomware, which is known to be using .wallet file extension to mark encrypted files.

The ransomware drops how_to_back_files.html ransom note on the desktop, which contains victim's ID and criminals' BitMessage address in case the victim wants to reach out to them – BM-2cXpCihgsVxB31uLjALsCzAwt5xyxr467U[@]bitmessage.ch.

The virus deletes Volume Shadow Copies to prevent the victim from restoring files without paying the ransom.

.s1crypt file extension virus. This parasite serves as another variation of the ransomware. It presents the demands in how_to_back_files.html ransom note. It also informs users that all their documents and data have been encrypted.

In order to decrypt files, victims should purchase the specific decoder which supposedly costs 2 bitcoins. Needless to say that the tool does not boost chances of data recovery.

In addition, the developers also provide three additional links for users who are not aware how to purchase bitcoins. In case of technical difficulties, they may contact the perpetrator via laboratoria@protonmail.ch.

The ending of the email may suggest that the cyber criminal may have registered domain in the territory of Switzerland. Yet again, it may be only a diversion. Antivirus tools may identify the malware as Trojan.Generic.DB75052. 

.au1crypt file extension virus. The malware functions as the counterpart of the former version. Its GUI also differs. The ID seems to be the result of AES and RSA cryptography. The ransom note, how_to_back_files.html, explains that users' files have been encrypted due “a security problem with your PC.”

Unlike the former version, which indicated the bitcoin address, this version instructs users to contact cyber criminals via summerteam@tuta.io and summerteam@india.com. Though it seems that the malware is rather a “summer entertainment” for the hackers, members of the virtual community should be vigilant.

At the moment, its Trojan is identifiable as Variant.Adware.Graftor.lXzx.

.goro file extension virus. This virus specifically targets victims via weak Remote Desktop Protocols (RDP). Since the version is still brand new, there is no decrypter released yet. The developers also used a similar .html ransom note for instructions.

You may terminate the goro.exe task on your Task Manager to interrupt the malware process. This version is also associated with the Wallet virus version of Dharma ransomware family.

At the moment, this variation is detectable as Trojan[Ransom]/Win32.Purgen, Arcabit Trojan.Ransom.GlobeImposter.1 by majority security applications. Mk.goro@aol.com email address is another indicator of this version.

.{email}.BRT92 file extension virus. This virus does what its name suggests – adds .{email}.BRT92 extensions to the encrypted files. In addition to the new extension, this Globe virus follow-up displays its ransom note via #HOW_DECRYPT_FILES#.html file.

On this html page, victims are provided with a personal ID number which is basically a code that helps perpetrators differentiate between their victims.

Hackers indicate two email addresses asnaeb7@india.com and asnaeb7@yahoo.com for the communication with the victim.

.ocean file extension virus. This one of the Globe Virus versions that showed up in 2017. The virus adds .ocean extensions and drops a note called !back_files!.html to demand payment. In order to retrieve their files, victims must contact the criminals via oceannew_vb@protonmail.com email address.

The hackers claim that the price of the file decryption will depend on how quickly the victim manages to contact them. Nevertheless, collaborating with the criminals is never a good option as you might end up scammed.

A1Lock virus. A1Lock is one of the more successful versions of the GlobeImposter virus. There are several versions of this parasite and each of them append files with different extensions. We currently know about variants that use .rose, .troy and .707 extensions.

Ransom demand are typically listed in the documents labeled How_to_back_files.html and RECOVER-FILES.html. For the communication with the victims, criminals indicate the following addresses: i-absolutus@bigmir.net, crypt@troysecure.me, troysecure@yandex.by and troysecure@yahoo.com.

.Write_me_[btc2017@india.com] file extension virus. Looking at its design, this version of Fake Globe differs from most of the virus versions. Nevertheless, it works exactly the same: encrypts files and offers to obtain a paid decoder. Victims who are willing to pay for their files must contact the criminals via btc2017@india.com email address.

The risk here is huge because the criminals are free to vanish after the victims pay for the decryptor. This way, files that the parasite marks with .Write_me_[btc2017@india.com] extensions may remain this way forever. 

.725 file extension virus. This ransomware version creates RECOVER-FILES.HTML with a ransom-demanding note. The virus, just like its previous versions, encodes files to demand ransom from the victimized computer user. The ransomware is recognized from file extensions that it adds to corrupted files – .725. Some of the spotted versions demand 0.19 Bitcoin as a ransom. So far, no 725 ransomware decryption tools were created.

.726 file extension virus. A little later after the discovery of .725 version, .726 file extension virus emerged. It is clear that GlobeImposter developers are rapidly changing the extensions they use, probably to confuse the victims and prevent them from finding help online. The ransomware saves RECOVER-FILES-726.html as a ransom note on victim's PC. Victims report that the virus asks for 0.37 Bitcoin in exchange for data decryption tool.

.490 file extension virus. .490 file extension virus is considered to be a version of A1Lock (GlobeImposter) that uses .490 to mark encoded files and creates !free_files!.html as ransom note for the victim. At the moment, no decryption tools are known to be effective against this virus.

.492 file extension virus. Yet another shady GlobeImposter remake uses .492 file extensions to stamp encrypted files. The design of the ransom note remained the same, but the name of the ransom note changed – now it is called here_your_files.html. The ransom note opens via default web browser and says that files were encrypted due to a security problem with victim's PC. According to the note, files can be recovered, but the victim has to write to file_free@protonmail.com or koreajoin69@tutanota.com.

.crypt file extension virus. Globe Imposter Crypt ransomware virus has been spotted being distributed by BlankSlate malspam. The mail spam campaign, which was recently used to distribute BTCWare Aleta virus, now switched to this new version of GlobeImposter. The ransomware comes in an email that contains no message – just a ZIP file attachment.

The attachment is usually named in this way: EMAIL_[Random Digits]_[Recipient's Name].zip. This ZIP file contains another ZIP file, also named with a random set of digits. The final ZIP contains a JavaScript file dubbed with a random set of characters.

Once executed, the JS file connects to a certain domain and downloads 1.dat file, which is ransomware's executable. It immediately encrypts all files on the system, adding .crypt file extension on its way. The virus then drops !back_files!.html ransom note, which instructs the victim to mail to oceannew_vb@protonmail.com for instructions on how to decrypt files.

At the moment, none of the available ransomware decrypters can decrypt these files, so data backup is the only tool that can recover your files.

.coded file extension virus. Not surprisingly, the virus emerges with another file extension, this time – .coded. Traditionally, after changing the file extension used, the malware creator changes the contact email address as well. This CODED GlobeImposter version uses decoder_master@aol.com and decoder_master@india.com email accounts for communication with ransomware victims. 

.astra file extension virus. Clearly enough, there are no exceptional features in this virus. It simply uses different file extensions to mark encrypted records, therefore it sometimes is called Astra ransomware virus. To provide the victim with data recovery guidance, it creates and saves a message in here_your_files!.html file (known as the ransom note). No decryption tools are available at the moment of writing. The only way to restore files is to rely on a data backup.

Update August 14, 2017. Different GlobeImposter ransomware versions emerge and disappear rapidly. In less than a week (starting from August 8th) malware developers introduced new ransomware versions that append either ..txt, .BONUM, .trump, .rumblegoodboy, .0402, .JEEP, .GRAFF, .MIXI or .ACTUM file extensions to encrypted files. As always, no outstanding improvements or updates come with these versions.

Some of the versions call the ransom note differently – for example, the 0402 virus uses !SOS!.html and the ..txt file extension virus uses Read_ME.html name for the note. So far, no decryption tools for these versions were discovered.

The distribution of the virus accelerates in summer'07

GlobeImposter ransomware employs traditional malware distribution technique and spreads via malicious spam. Other known attack vectors are malware-laden ads and drive-by downloads [5].

Like most ransomware, this variant obfuscates its destructive payload under legitimate-looking programs or Windows files so that the potential victims would not suspect they are downloading malicious files on their computers.

To protect the system from malware attacks, a decent and up-to-date anti-malware software is required, besides, we recommend finding some external storage to keep copies of your files in. You may use thumb drives, external HDDs or any other device you prefer. Just don’t forget to keep it unplugged from your computer!

Updated on 23rd of May, 2017. The ransomware keeps changing its attack techniques and according to the latest reports, this malicious virus is being pushed by Blank Slate malspam which was and is responsible for Cerber's distribution[6].

It turns out that malicious files came packed in .zip archives named with a random set of chars, for instance 8064355.zip. When unpacked and executed, the .js or .jse file inside connects to a certain domain and downloads ransomware from it.

Criminals tend to regularly switch the domains that host ransomware, but currently known domains are newfornz[.]top, pichdollard[.]top and 37kddsserrt[.]pw.

Updated on 1st of August, 2017: New Globe Imposter malspam campaign (most likely based on the Necurs botnet) with new subject names have been spotted. Below you will find a list of email addresses, subject titles and attachment files associated with Fake Globe distribution:

  • donotreply@jennieturnerconsulting.co.uk   —   Payment Receipt_72537   —   P72537.zip
  • donotreply@ritson.globalnet.co.uk   —   Payment 0451   —   P0451.zip
  • donotreply@vintageplanters.co.uk   —   Payment Receipt#039   —   P039.zip
  • donotreply@bowker61.fastmail.co.uk   —   Receipt 78522   —   P78522.zip
  • donotreply@satorieurope.co.uk   —   Receipt#6011   —   P6011.zip
  • donotreply@npphotography.co.uk   —   Payment-59559   —   P59559.zip
  • donotreply@anytackle.co.uk   —   Receipt-70724   —   P70724.zip
  • donotreply@gecko-accountancy.co.uk   —   Receipt#374   —   P374.zip
  • donotreply@corbypress.co.uk   —   Payment Receipt#03836   —   P03836.zip
  • donotreply@everythingcctv.co.uk   —   Payment_1479   —   P1479.zip

According to malware-traffic-analysis.net website which compiled this list, the zip files contain vbs files which carry the malicious payload.

Besides, new subject titles have been added to the spam campaign distributing FakeGlobe as .js file. Be careful with emails that read “Voice Message Attached, or “Scanned Image”. 

Remove GlobeImposter virus and try existing data recovery tools

The virus developers will try to make Globe Imposter removal as difficult as possible, potentially leaving various traps behind.

Only reputable and powerful security software can work around these obstacles and remove GlobeImposter virus from the corrupted system ripping it straight from the root.

In case you are infected with the Fake Globe virus, you should be very careful not to damage your computer system even more. Do not try taking up virus removal if it is your first encounter with such a virus. Use the instructions provided below to boot your system in a protected mode and eliminate the malware safely.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Globe Imposter ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Globe Imposter ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual Globe Imposter virus Removal Guide:

Remove Globe Imposter using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Fake Globe virus is a virus that will not leave the infected computer without a fight. Thus, it may block the antivirus or other security programs from running. In case this happens, please follow the instructions below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Globe Imposter

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Globe Imposter removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Globe Imposter using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Ransomware parasites are serious cyber infections thus, they may not only lock various documents on the infected computer but block applications as well. Security software is not an exception. If GlobeImposter is interfering with the automatic system scan, check out the following instructions.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Globe Imposter. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Globe Imposter removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Globe Imposter from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

The provided decryption tool by Emsisoft might not work for you because it is capable of decrypting files locked by certain versions of this ransomware group only. In case it doesn't help you to roll your data back to its original state, we suggest trying one of the provided alternative options:

If your files are encrypted by Globe Imposter, you can use several methods to restore them:

Get help from Data Recovery Pro

This data recovery software proved to be efficient when dealing with corrupted or deleted files. We suggest trying this tool to restore your files.

ShadowExplorer trick

Let ShadowExplorer do the trick and restore your files using Volume Shadow Copies. Unfortunately, ransomware viruses seek to delete Volume Shadow Copies and in case they succeed, ShadowExplorer can no longer help you.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Free Globe Imposter decryptor

Your files can be quickly recovered if you use the Free Globe Imposter decryptor from Emsisoft. 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Globe Imposter and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages