Severity scale:  

Globe Imposter ransomware virus. How to remove? (Uninstall guide)

removal by Linas Kiguolis - - | Type: Ransomware

GlobeImposter – ransomware using Necurs botnet and spam to spread around

Globe Imposter virus

GlobeImposter emerged as a fake version of Globe ransomware. For this reason, it is also known under the name of FakeGlobe. The virus has numerous versions that have been spread via hacked websites with the help of Rig exploit kit. However, in November 2017 security experts discovered malspam campaign being spread via Necurs botnet.

In general, the only thing that differs in the new variant of GlobeImposter is the appended file extension (this time it uses ..doc file extensions) and provided email address. In response to the number of new versions flooding the cyberspace, EMSISOFT specialists created a free decryption tool. You can find it at the end of the article. However, not all versions are decryptable.

Currently, malware spreads as a misleading email attachment which is called “Emailing: IMG_20171221_”. Once it infects the system, it encrypts files by appending one of the numerous different file extensions, such as[1]

..doc, ..txt, .0402, .BONUM, .ACTUM, .JEEP, .GRAFF, .trump, .rumblegoodboy, .goro, .au1crypt, .s1crypt, .nCrypt, .hNcrypt, .legally, .keepcalm, .plin, .fix, .515, .crypt, .paycyka, .pizdec, .wallet, .vdulm, .2cXpCihgsVxB3, .medal, .3ncrypt3d .[]SON, .troy, .Virginprotection, .BRT92, .725, .ocean, .rose, .GOTHAM, .HAPP, .write_me_[], .VAPE, .726, .490, .coded, .skunk, .492, .astra, .apk, .doc, .4035, .clinTON, .D2550A49BF52DFC23F2C013C5, .zuzya, .LEGO, .UNLIS, .GRANNY, .911,.reaGAN, .YAYA .needkeys, .[], .foSTE, .490, .ILLNEST, .SKUNK, .nWcrypt, .f41o1, .panda, .BIG1, .sexy, .kimchenyn,, .WORK,  .crypted_uridzu@aaathats3as_com,, .TRUE,, .[], .btc, .[],,  .black,  .[], .rrr, .{}.AK47,  .LIN, .apk,  .decoder, .[].rose, .fuck,  .restorefile, .CHAK,  .Chartogy,  .POHU,  .crypt_fereangos@airmail_cc,, .crypted_monkserenen@tvstar_com, .crypt_sorayaclarkyo@mail_com, .STN, .VYA, .crypt_damarles@airmail_cc, .pliNGY,  .ñ1crypt;

The purpose of the GlobeImposter is to encrypt files and demand to pay the ransom by using scare tactics.[2] As soon as it finishes data encryption, malware delivers a ransom note where extortionists sell the decryption key for the victims.[3] The instructions on how to get back access to the files might be provided in one of these files:

  • Read___ME.html;
  • how_to_back_files.html;
  • !back_files!.html;
  • !free_files!.html;
  • here_your_files!.html)
  • !SOS!.html
  • Note Filename: support.html;
  • READ_IT;
  • #HOW_DECRYPT_ALL#.html;

Different versions of the Fake Globe include a different email or BitMessage addresses in order to communicate with victims. Criminals asked victims to contact them using these email addresses. However, the list might expand because new variants keep emerging:

  • write_me_[]

Fake Globe virus can encrypt files just as successfully as any other ransomware that has been developed from scratch. Considering that there are numerous variants of this ransomware, we can only say that certain viruses tend to use RSA and AES ciphers which most ransomware use in their attacks [4]. While some versions GlobeImposter can be decrypted, the rest remain extremely dangerous.

The security experts from Emsisoft have succeeded in creating a decryption tool the ransomware – a free Globe Imposter decrypter which helps ransomware victims recover their files and restore order on their computers [5]. At the moment of writing, this rescue tool has already been downloaded over 11844 times which only proves that the parasite is spreading rapidly and everyone should take action to protect their devices against it.

If it is already too late for you to take any preventative steps, you should scroll down to download the decrypter and learn how to remove GlobeImposter from your computer. We suggest scanning the system with Reimage or Malwarebytes Anti Malware to eradicate the infection.

Necurs spreads two malspam campaigns with Globe Imposter

At the end of November 2017, security experts warned about massive malspam campaign pushing a new variant of GlobeImposter. Malicious emails include 7zip attachments with VBS files. If a user opens such file, malware is installed and executed on Windows computer.

Researchers detected two variants of malicious emails:

  • The first campaign pushes emails with a subject line that includes the word “Emailing” and a random string of numbers, for instance, “Emailing – 10006004318”. The body of the message informs about “strictly confidential” email.[6]
  • The second campaign spreads emails with a subject line “FL-[random-numbers] [day.month.year.]. However, these emails are empty and do not contain any text. However, it includes a 7zip attachment that matches the name of the subject line.[7]

This version of malware appends .doc file extension to targeted file types on the affected computer. Following data encryption, it drops a ransom note in HTML file where victims are offered to buy a decryption software for $1000 in Bitcoins in two days. After the deadline, the size of the ransom will increase.

Variants of Globe Imposter ransomware

GlobeImposter 2.0 virus. This version of a Globe ransomware copy compromises the files by appending .FIX extension at the end. It uses similar sophisticated algorithms to perform data encryption.

The virus infiltration strategies vary from the spam campaigns to drive-by downloads or deceptive ads. There is virtually no way of knowing when the virus is going to hit. Though the original GlobeImposter was successfully decrypted, malware experts did not manage to repeat their success with the version 2.0, and this parasite still remains undecryptable.

That's why it is always a good idea to keep backups of your most important files somewhere, where the malicious ransomware script could not reach and encrypt them. This way, you will always have the backup recovery plan in case your data gets corrupted.

GlobeImposter German version. To reach more victims, ransomware developers often adapt their malicious creations to target specific countries and speak to the users in their native language.

The German ransomware version is a perfect example of such strategy: the ransom note with explanations how to recover the encrypted files is presented in German. The criminals demand 0.5 Bitcoin for the data recovery key. After the money is transferred, the victims are required to send a screenshot of the transaction to an indicated email address –

But even the completion of all the criminals demands does not guarantee files will be recovered. The extortionists are unpredictable and can simply vanish with the money. That’s why we recommend to stay safe and carry out the GlobeImposter German version elimination instead.

KeepCalm virus. The virus encrypts and appends them with .keepcalm extensions which is where this virus gets its name from. The parasite runs a strong encryption script to render victim’s files unreadable and then offers to decrypt the files if only the victim is willing to pay a considerable amount of money.

The extortionists give a more detailed description of data recovery in the ransom note called HOW_TO_BACK_FILES.html. Essentially, the victims must contact the criminals via email address. The ransom payment snapshot along with the personal ID must be sent to this email to receive the decryption tool. Unfortunately, this is not what normally happens.

On the opposite the criminals tend to vanish as soon as they have the money in their pockets, leaving victims stranded with a bunch of undecryptable information. In such a case, all you can do is remove KeepCalm from the infected device and to bypass the encryption in some other, safer ways.

Wallet GlobeImposter virus. At the beginning of May 2017, a new version of the fake Globe virus was detected. This time, it that uses .wallet file extensions in order to spoof Dharma ransomware, which is known to be using .wallet file extension to mark encrypted files.

The ransomware drops how_to_back_files.html ransom note on the desktop, which contains victim's ID and criminals' BitMessage address in case the victim wants to reach out to them – BM-2cXpCihgsVxB31uLjALsCzAwt5xyxr467U[@]

The virus deletes Volume Shadow Copies to prevent the victim from restoring files without paying the ransom.

.s1crypt file extension virus. This parasite serves as another variation of the ransomware. It presents the demands in how_to_back_files.html ransom note. It also informs users that all their documents and data have been encrypted.

In order to decrypt files, victims should purchase the specific decoder which supposedly costs 2 bitcoins. Needless to say that the tool does not boost chances of data recovery.

In addition, the developers also provide three additional links for users who are not aware how to purchase bitcoins. In case of technical difficulties, they may contact the perpetrator via

The ending of the email may suggest that the cyber criminal may have registered domain in the territory of Switzerland. Yet again, it may be only a diversion. Antivirus tools may identify the malware as Trojan.Generic.DB75052. 

.au1crypt file extension virus. The malware functions as the counterpart of the former version. Its GUI also differs. The ID seems to be the result of AES and RSA cryptography. The ransom note, how_to_back_files.html, explains that users' files have been encrypted due “a security problem with your PC.”

Unlike the former version, which indicated the bitcoin address, this version instructs users to contact cyber criminals via and Though it seems that the malware is rather a “summer entertainment” for the hackers, members of the virtual community should be vigilant.

At the moment, its Trojan is identifiable as Variant.Adware.Graftor.lXzx.

.goro file extension virus. This virus specifically targets victims via weak Remote Desktop Protocols (RDP). Since the version is still brand new, there is no decrypter released yet. The developers also used a similar .html ransom note for instructions.

You may terminate the goro.exe task on your Task Manager to interrupt the malware process. This version is also associated with the Wallet virus version of Dharma ransomware family.

At the moment, this variation is detectable as Trojan[Ransom]/Win32.Purgen, Arcabit Trojan.Ransom.GlobeImposter.1 by majority security applications. email address is another indicator of this version.

.{email}.BRT92 file extension virus. This virus does what its name suggests – adds .{email}.BRT92 extensions to the encrypted files. In addition to the new extension, this Globe virus follow-up displays its ransom note via #HOW_DECRYPT_FILES#.html file.

On this html page, victims are provided with a personal ID number which is basically a code that helps perpetrators differentiate between their victims.

Hackers indicate two email addresses and for the communication with the victim.

.ocean file extension virus. This one of the Globe Virus versions that showed up in 2017. The virus adds .ocean extensions and drops a note called !back_files!.html to demand payment. In order to retrieve their files, victims must contact the criminals via email address.

The hackers claim that the price of the file decryption will depend on how quickly the victim manages to contact them. Nevertheless, collaborating with the criminals is never a good option as you might end up scammed.

A1Lock virus. A1Lock is one of the more successful versions of the GlobeImposter virus. There are several versions of this parasite and each of them appends files with different extensions. We currently know about variants that use .rose, .troy and .707 extensions.

Ransom demands are typically listed in the documents labeled How_to_back_files.html and RECOVER-FILES.html. For the communication with the victims, criminals indicate the following addresses:,, and

.Write_me_[] file extension virus. Looking at its design, this version of Fake Globe differs from most of the virus versions. Nevertheless, it works exactly the same: encrypts files and offers to obtain a paid decoder. Victims who are willing to pay for their files must contact the criminals via email address.

The risk here is huge because the criminals are free to vanish after the victims pay for the decryptor. This way, files that the parasite marks with .Write_me_[] extensions may remain this way forever. 

.725 file extension virus. This ransomware version creates RECOVER-FILES.HTML with a ransom-demanding note. The virus, just like its previous versions, encodes files to demand ransom from the victimized computer user. The ransomware is recognized from file extensions that it adds to corrupted files – .725. Some of the spotted versions demand 0.19 Bitcoin as a ransom. So far, no 725 ransomware decryption tools were created.

.726 file extension virus. A little later after the discovery of .725 version, .726 file extension virus emerged. It is clear that GlobeImposter developers are rapidly changing the extensions they use, probably to confuse the victims and prevent them from finding help online. The ransomware saves RECOVER-FILES-726.html as a ransom note on victim's PC. Victims report that the virus asks for 0.37 Bitcoin in exchange for data decryption tool.

.490 file extension virus. .490 file extension virus is considered to be a version of A1Lock (GlobeImposter) that uses .490 to mark encoded files and creates !free_files!.html as ransom note for the victim. At the moment, no decryption tools are known to be effective against this virus.

.492 file extension virus. Yet another shady GlobeImposter remake uses .492 file extensions to stamp encrypted files. The design of the ransom note remained the same, but the name of the ransom note changed – now it is called here_your_files.html. The ransom note opens via default web browser and says that files were encrypted due to a security problem with victim's PC. According to the note, files can be recovered, but the victim has to write to or

.crypt file extension virus. Globe Imposter Crypt ransomware virus has been spotted being distributed by BlankSlate malspam. The mail spam campaign, which was recently used to distribute BTCWare Aleta virus, now switched to this new version of GlobeImposter. The ransomware comes in an email that contains no message – just a ZIP file attachment.

The attachment is usually named in this way: EMAIL_[Random Digits]_[Recipient's Name].zip. This ZIP file contains another ZIP file, also named with a random set of digits. The final ZIP contains a JavaScript file dubbed with a random set of characters.

Once executed, the JS file connects to a certain domain and downloads 1.dat file, which is ransomware's executable. It immediately encrypts all files on the system, adding .crypt file extension on its way. The virus then drops !back_files!.html ransom note, which instructs the victim to mail to for instructions on how to decrypt files.

At the moment, none of the available ransomware decrypters can decrypt these files, so data backup is the only tool that can recover your files.

.coded file extension virus. Not surprisingly, the virus emerges with another file extension, this time – .coded. Traditionally, after changing the file extension used, the malware creator changes the contact email address as well. This CODED GlobeImposter version uses and email accounts for communication with ransomware victims. 

.astra file extension virus. Clearly enough, there are no exceptional features in this virus. It simply uses different file extensions to mark encrypted records, therefore it sometimes is called Astra ransomware virus. To provide the victim with data recovery guidance, it creates and saves a message in here_your_files!.html file (known as the ransom note). No decryption tools are available at the moment of writing. The only way to restore files is to rely on a data backup.

.f41o1 file extension after completing the encryption process. What is more, this version also presents graphic user interface – READ_IT.html.[8] It does not indicate specific email address but instead provides a specific .onion address for victims to proceed with data recovery. The perpetrators also offer to purchase their Decrypter. Victims are supposed to receive further instructions within 48 hours. Let us remind you once again that even if the software will decrypt the files, it may system with spyware which might facilitate future hijack.

Interestingly, GlobeImposter developers are shifting to boost the malware distribution via malspam. One of the samples function via the VBS script and hide under INV-000913.vbs or similarly named fake invoice file. Another virus edition fishes users via corrupted hosts, such as…). Furthermore, developers also added Nemucod trojan to the distribution campaign.

Decoder ransomware virusHackers inform that the files were encrypted due to the “Security problems” detected on the PC. They indicate and email addresses to pay and ransom and receive a decryptor for .decoder files. The ransom note is named as Instructions.txt and dropped on the desktop shortly after Decoder ransomware infiltration.

ABC ransomware virus. While developing this variant of the Globe Imposter virus crooks employed AES and RSA ciphers to perform data encryption. Afterward, it leaves Read_IT.txt which serves as a ransom note. You should note this version is still under development. Thus, it might drop README.txt or HOW_TO_DECRYPT.txt files. 

According to the research, ABC virus spreads via exploit kits, spam emails or other common distribution techniques. Victims report that they are demanded to pay from 0.3 to 0.5 BTC in return to data recovery.

.Ipcrestore file extension virus. The victims are provided with how_to_back_files.html file which has a common name of a ransom note. They are asked to make a digital currency transaction in a specific Bitcoin accound to get a decryption tool for files with .Ipcrestore extension. While this offspring of FakeGlobe is still in-development, the PC users are advised to take precautionary measures and be aware of all possible extensions and ransom note names.

Update May 23, 2017. The ransomware keeps changing its attack techniques and according to the latest reports, this malicious virus is being pushed by Blank Slate malspam which was and is responsible for Cerber's distribution[9].

It turns out that malicious files came packed in .zip archives named with a random set of chars, for instance When unpacked and executed, the .js or .jse file inside connects to a certain domain and downloads ransomware from it.

Criminals tend to regularly switch the domains that host ransomware, but currently known domains are newfornz[.]top, pichdollard[.]top and 37kddsserrt[.]pw.

Update August 1, 2017: New Globe Imposter malspam campaign (most likely based on the Necurs botnet) with new subject names have been spotted. Below you will find a list of email addresses, subject titles and attachment files associated with Fake Globe distribution:

  •   —   Payment Receipt_72537   —
  •   —   Payment 0451   —
  •   —   Payment Receipt#039   —
  •   —   Receipt 78522   —
  •   —   Receipt#6011   —
  •   —   Payment-59559   —
  •   —   Receipt-70724   —
  •   —   Receipt#374   —
  •   —   Payment Receipt#03836   —
  •   —   Payment_1479   —

According to website which compiled this list, the zip files contain vbs files which carry the malicious payload.

Besides, new subject titles have been added to the spam campaign distributing FakeGlobe as .js file. Be careful with emails that read “Voice Message Attached, or “Scanned Image”. 

Update August 14, 2017. Different GlobeImposter ransomware versions emerge and disappear rapidly. In less than a week (starting from August 8th) malware developers introduced new ransomware versions that append either ..txt, .BONUM, .trump, .rumblegoodboy, .0402, .JEEP, .GRAFF, .MIXI or .ACTUM file extensions to encrypted files. As always, no outstanding improvements or updates come with these versions.

Some of the versions call the ransom note differently – for example, the 0402 virus uses !SOS!.html and the ..txt file extension virus uses Read_ME.html name for the note. So far, no decryption tools for these versions were discovered.

Update September 15, 2017. As usual, every month introduces a couple of new GlobeImposter variations. Most recent are: .YAYA .needkeys, .[].foSTE, .490.ILLNEST, .SKUNK, .nWcrypt. Though appended extensions differ, there are no crucial modifications of the malware. 

The developers continue the theme of US presidents as well. One of the recent editions mark encrypted files with .reaGAN extension and present email address for contact purposes. Additionally, another version does not only add a different extension – .911 – but also displays the demands in the !SOS!.html page.

Luckily, the current versions are detectable as Ransom:Win32/Ergop.ATrojan.Purgen.baGeneric.Ransom.GlobeImposter.56A888, etc. However, perpetrators act more insidiously. These versions disguise under cmd.exe (a referrer to Command Prompt executable), btm1.exe,  encv.exe, and similar executables which are used by legitimate apps. After the infection, the malware launches additional commands: ADVAPI32.dll, KERNEL32.dll,SHLWAPI.dll,USER32.dll, and ole32.dll.

Update September 20th, 2017. At the beginning of autumn 2017, GlobeImposter was noticed proliferating via massive ransomware campaign that was mostly associated with the infamous Locky ransomware. Experts from TrendMicro have specified that the malicious domains used to download the ransomware on victim's computers serve FakeGlobe and Locky ransomware in a rotation. Therefore, it means that the compromised domain can serve Globe Imposter for several hours and then switch to pushing Locky and vice versa.

Spam campaigns delivering the malware to victims are providing malicious links in the message body, suggesting to view an invoice online. Clicking on the link downloaded a .7z file which was also attached to the email. The file inside the archive is set to connect to remote domains and download Locky or GlobeImposter virus.

According to experts[10], this isn't the only type of malicious emails that scammers are using to push ransomware. They are also sending thousands of emails without any information in the message body and an attached .doc file instead of an archive. The doc file contains a macros code set to download the ransomware from a remote server. As soon as the victim closes the file, the script will activate itself via Auto Close VBA Macro. 

Update November 17, 2017. A month has passed – new versions GlobeImposter virus sprung to life. Finally, the developers decided to introduce more changes rather than simply altering the name of appended extensions and email addresses. 

Now they slightly changed the encryption way of the configuration. Now the encryption key is more complex. It was done supposedly to bother the decryption tool creation process. The authors also changed the ransom note – now the demands are delivered in #HOW_DECRYPT_ALL#.html[11].

Except for these slight modifications, no other significant changes are visible. Globe Imposter crypto-malware continue amusing themselves and IT experts with random file extensions. While some of the older file extensions are used, there are new ones.

One of them, .kimchenyn, mockingly relates to the leader of North Korea Kim Jong-un. Another extension, .panda, possibly refers to the latest version of Zeus Panda banking trojan appeared. Another Globe Imposter version refers to popular Hollywood actor – Colin Farrel – as it appends extension. Unless completely terminated. It seems that this malware can provide quite an insight into the interests and the personality of the perpetrator(s). 

Recently discovered versions of the ransomware

.GRANNY file extension virus was first discovered in August, 2017. Users get infected via malicious torrent files which hold the Trojan inside. Unlike some of the latest GlobeImposter variations, the malware presents its independent interface. Victims are instructed to contact the perpetrators via or The cyber criminals offer decryption of one file to earn users' trust. 

.Trump extension malware is another worth mentioning recently appeared sample. The malware launches a quite plain interface with an unusually long victim's identification address. Additionally, the crooks offer users to contact them via and As in previous cases, the felons did not indicate the specific amount of money but instead encourage users to contact them directly.

{}.BRT92 file malware strikes again with slight modification in its email domains. Perpetrators now deliver the demands in #DECRYPT_FILES#.html file. As in other variants, the racketeers urge to purchase their decoder and offer one file decryption service for free.

Though the very extension has been exploited before, now crooks switched to address.[12] The tendency to take inspiration from fiction, pop culture or just random daily life implies that the crooks might not be an organized gang of cyber villains. However, the rate of new malware variations certainly suggests their persistence. 

Other August GlobeImposter editions include variants which append .D2550A49BF52DFC23F2C013C5, .zuzya, .LEGO, .UNLIS file extensions. No significant changes in the operation peculiarities nor in the distribution methods are detected.

With the beginning of academic year, GlobeImposter malware developers bombard users again with a series of new samples. The cyber criminals do not seem to lose a sense of humor as well. One of the variations appends .clinTON file extension and indicates for contact purposes.

On the 18th of October, 2017, the Rig exploit kit (RIGEK) was spotted spreading Globe Imposter version via hacked websites. that appends .4035 file extension. Following data encryption, it delivers a ransom note in READ_IT.html file were victims are asked to pay the ransom in order to get back access to their files.

Later researchers detected another version of ransomware appending .doc file extensions to the targeted files. The malicious program locks data with strong encryption cipher and provides ransom note in Read___ME.html file. This version of malware spreads via two malspam campaigns that are pushed by Necurs botnet. Malware asks to pay $1000 in two days; otherwise, the payment will double.

At the end of October, the new version of the GlobeImposter has been noticed appending .apk file extension. Malware payload spreads as an apkcrypt.exe file. As soon as this file is executed on the system, the virus starts data encryption procedure. Following successful encryption, it delivers a ransom note in Note Filename: support.html file where victims are asked to transfer Bitcoins for data recovery.

Let us remind you that free GlobeImposter Decrypter might help you decode the files if this cyber misfortune seized control of your files.

Distribution methods of malware keep improving

Developers of Globe Imposter used several distribution methods already, such as:

  • Rig exploit kit;
  • Malicious ads that trigger an automatic installation of a virus and drive-by downloads[13];
  • Malspam pushed by Necurs botnet.

Therefore, this malicious program might take advantage of outdated software and security vulnerabilities. However, most of the time crooks wants to trick users into opening or downloading infected content, such as ads or email attachments. For this reason, you should be careful and click content only if you are 100% sure that it's safe.

To protect the system from malware attacks, a decent and up-to-date anti-malware software is required, besides, we recommend finding some external storage to keep copies of your files in. You may use thumb drives, external HDDs or any other device you prefer. Just don’t forget to keep it unplugged from your computer!

Automatic Globe Imposter elimination guide

Since this is a highly dangerous ransomware, the developers most probably programmed it to prevent the easy elimination. You can either call a certified IT technician or employ a professional security software to perform GlobeImposter removal for you. You are advised to choose Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware since they are reliable and time-tested.

In case you are infected with the Fake Globe virus, you should be very careful not to damage your computer system even more. Do not try taking up virus removal if it is your first encounter with such a virus. Use the instructions provided below to boot your system in a protected mode and eliminate the malware safely.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Globe Imposter ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Globe Imposter ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Globe Imposter virus Removal Guide:

Remove Globe Imposter using Safe Mode with Networking

Fake Globe virus is a virus that will not leave the infected computer without a fight. Thus, it may block the antivirus or other security programs from running. In case this happens, please follow the instructions below.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Globe Imposter

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Globe Imposter removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Globe Imposter using System Restore

Ransomware parasites are serious cyber infections thus, they may not only lock various documents on the infected computer but block applications as well. Security software is not an exception. If GlobeImposter is interfering with the automatic system scan, check out the following instructions.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Globe Imposter. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Globe Imposter removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Globe Imposter from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Start FakeGlobe removal from the instructions below. They will briefly explain how to prevent the ransomware from blocking the installation of an antivirus system.

If your files are encrypted by Globe Imposter, you can use several methods to restore them:

Data Recovery Pro tool

This is a professional tool developed to help ransomware victims recover files after data encryption. Wr highly recommend using it.

Try ShadowExplorer feature

The most important condition to retrieve data with ShadowExplorer is the undeleted Shadow Volume Copies. Sadly, Globe Imposter along with its offsprings aim to eliminate them. If it succeeds, this feature will not be effective.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Employ Globe Imposter decryptor for free

Luckily, the experts have officially released a Free Globe Imposter decryptor from Emsisoft. You should definitely give it a try after FakeGlobe attack.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Globe Imposter and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions


Removal guides in other languages