Globe ransomware / virus (Jan 2017 update) - Decryption Steps Included

Globe virus Removal Guide

What is Globe ransomware virus?

Globe virus: can it be as dangerous as Cerber ransomware?

At first, it seemed that Globe virus is just another dull copy-paste ransomware that is not going to be spread widely. The initial version of it struck the world a couple of months ago, but since then the ransomware has been updated several times already. Interestingly, this malicious program demonstrates certain references to the movie Purge [1] throughout the hijack. However, speaking of its structure, it does not differ much from other infamous cyber infections which demand ransom for the locked data. Virus researchers speculate that the infection belongs to the group of malware which mainly targets devices via corrupt email attachments distributed by the malicious spam campaigns. Such distribution technique is already considered the most active one and been actively used with such ransomware threats as Cerber or Osiris ransomware. [2] If your computer was assaulted as well, what you should do first is collect yourself and concentrate on Globe removal options. There is no need to wait around for your personal files to self-decrypt because this will never happen. The hackers would rather destroy your personal data completely than give it away for free. Besides, even paying up may not help. The sad statistics show that a large part of ransomware victims never get the promised decryption key and their personal files remain locked [3]. Luckily, virus researchers have already obtained a sample of Globe ransomware and managed to bypass the encryption. We will put a link to the decryption tool next to other data recovery methods which may come in handy if you are infected by some other version of the virus on which this decryption tool may not be effective.

the screenshot of Globe virus

Globe virus might be still under development, but it is growing quite steadily. Lately, new versions – Globe2, Kyra, and x3m Globe have been released. Users residing in Central Asia were among the first targets of this malware, but now its infiltration cases are being registered in other parts of the world. There are speculations that the threat might evolve to the state when it starts attacking small and major enterprises. The file entitled “How to restore your files.hta,” which the virus saves on the desktop, delivers the essential instructions on how to recover the files. The victims are supposed to contact hackers using this email address – powerbase@tutanota.com (or a different one – it depends on the version of this ransomware) by which further instructions for payment and the amount of demanded ransom are to be delivered. Speaking of the ransom, its sum varies each time. It is speculated it fluctuates from 1 to 3 BTC. It is unwise hoping to retrieve the files after remitting the payment. Instead, remove Globe immediately.

Moreover, the same .url.powerbase@tutanota.purge extension is added to all the blocked files. Unlike other threats, the virus seems to be using Blowfish encryption method rather than popular AES. Within seconds, vssadmin.exe and bcdedit.exe are executed, and the threat finishes decrypting files. Currently, the virus can affect around 995 types of files. The virus is quite aggressive as it may also corrupt the files located in Program Files or local drives. In addition, the virus seems to behave quite aggressively as it encrypts more and more files after each system reboot. Globe malware deletes all shadow copies and turns off Windows Startup Repair. Therefore, it is of utmost importance to exterminate the threat as soon as possible. In order to do that, let FortectIntego help you. Lastly, we would like to warn not to install any file-decrypting software or Globe Decrypter promoted by the hackers. You should use only legitimate tools to succeed in recovering the files that are currently locked [4].

List of malware related to Globe ransomware:

Globe2 ransomware virus. This virus has been detected at the beginning of October in 2016. As a ransomware-type virus, this virus encrypts data and commands to contact cyber criminals via email. The only way to communicate with them is to send a letter to help_you@india.com email address. It is not hard to understand what criminals want in exchange for the decryption software – money. Luckily, victims no longer need to pay ransoms as the antidote for this computer infection has already been discovered, so if you have been attacked by this malicious virus, use a free Globe2 decryption tool to restore encrypted data. Full instructions on how to remove Globe 2 and restore files are provided in this article.

Russian Globe ransomware virus (also known as BlackBlock virus). The Russian version of this crypto-ransomware virus has been spotted in November 2016. This ransomware version can be easily identified because it appends .blackblock file extensions to encrypted data, and typically asks for 0.5 Bitcoin in exchange for the decryption software. Just like the previous versions, this one employs RSA encryption to render personal files useless. When it finishes the filthy data encryption procedure, it launches “How to restore files.hta” file, which provides information about the encryption. This file is widely known as “the ransom note,” and it commands the victim to write to cyber criminals’ email in order to find out possible decryption methods. The victim can also use Bitmessage to reach out to the perpetrators.

Kyra ransomware virus. This one has been released right after BlackBlock virus, and it is very similar to it as well. The only difference is that Kyra virus ads .kyra file extensions to corrupted files, and asks for a slightly higher ransom – 1.0 Bitcoin. The ransom note asks the victim to contact criminals via support-locking@india.com or support-decrypt@india.com, or again via BitMessage. The victim is asked to provide personal ID and wait for further instructions on how to pay the ransom to get the decryption tool. Sadly, criminals are not obliged to provide you with Kyra decryption software even if you pay up, so we suggest you think twice before doing so. We believe that you should not waste your money and get a trustworthy computer protection tool instead. You can recover lost files from a backup if you have it – just make sure you remove Kyra virus first.

Duhust ransomware virus. This is a newly detected version of the original cyber infection. It has been named after its file extension it attaches to every encoded file – .duhust extension. The virus continues the tradition of employing AES and RSA algorithms for data encoding. The developers also decided to make another diversion. In the ransom note, they present duhust@india.com for public communication. Regarding this feature, it seems that the crooks are the same who keep terrorizing the virtual world with @india.com themed viruses. They are not so widely spread as Locky or Cerber, but the continuous attempts to modify and improve the immunity of cyber threat seem alarming. What is more, the hackers already have become widely known for their multiple threats. Some of them possess amusing titles. However, the recent versions Suppteam01@india.com and Suppteam03@india.com trigger assumptions that it might be related to another notorious file-encrypting virus – CryptoLocker.

x3m Globe ransomware virus is another new member that has been recently added to the Globe ransomware family. A version of Globe has been spotted adding .x3m extensions to the encrypted files which earned the program its name. The virus is especially dangerous for the users who have no backup copies of their personal files since it encrypts the data stored on the computer with a complex algorithm that changes the inner structure of these into a jumble of characters. This encryption can be turned into normal files again only with the private key which the criminals promise to provide if the victim contacts them via mkscorpion(@)india.com email. Apart from dropping a ransom note on every of the infected computer folders, the virus places data recovery instructions on the desktop as well, ensuring that the victim really notices them. x3m Globe most likely arrives into the users computers through pirated software or email spam, so be careful not to download it by accident.

Grapn206@india.com ransomware virus. In response to other mainstream viruses, the developers of Globe made a move again. In the past few weeks, they presented several major improvements. Speaking of this latter version, it does not differ much from the previous versions. The only obvious new feature is the appended extension. Now the malware marks all corrupted data with .grapn206 extension. Usual encryption methods. AES and RSA, are also characteristic to this ransomware. Beware of lolka.exe1 file which distributes the binary with the virus within. The crooks might disguise it in a spam attachment or a trojan. Since it is another virus from @india.com viruses, it might also target users via trojans, exploit kits which lurk in infected domains. Do not waste time and proceed to the virus elimination as it is futile to expect the crooks to return the data.

Banij2@india.com ransomware is the latest example of Globe virus that showed up in the beginning of 2016. This version started spreading around in US. However, soon it showed up in Russia, Germany and UK. The name for this Globe variant was given according to the extension which is added by this malware to each of the target files. Just like previous its versions, it can easily encrypt videos, music files, business documents and similar data with its built-in encryption engine. The only way to stay safe and avoid this ransomware is to protect your computer with the reliable anti-spyware. The next step which is also recommended by security experts is to make backup copies of all of your files that are important to you. Make sure you keep them disconnected from your computer to avoid Banij2@india.com file virus.

.LoveWindows file extension virus. In December 2016, Globe2 virus emerges with a brand new malware variant that adds .lovewindows file extension to encrypted files. Just like previous Globe ransomware versions, the new one uses RSA cipher to encrypt target files securely and prevent the user from accessing them. To decrypt files, the user needs to write to bahij2@india.com email and get instructions from culprits directly. Currently, the Globe2 decrypter is not updated and cannot restore files encrypted by this version, but it might be able to do it soon. Therefore, keep your money to yourself and do not pay the ransom to nasty scammers who have infected your system with ransomware. We suggest you remove .lovewindows virus as soon as you can. The best way to do it is to rely on automatic malware removal tool. If you do not have one yet, consider installing one of the ones we recommend: FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes.

Fake Globe ransomware. Fake Globe virus, or Globe Imposter virus, uses AES encryption to corrupt files on a target computer and decorates their names with .crypt file extensions. The virus uses almost identical ransom note and also drops HOW_OPEN_FILES.hta file on the system. This Globe Impersonator wants 1 Bitcoin as a ransom (around 800 USD), which needs to be sent to a provided Bitcoin wallet address. Then the Fake Globe ransomware asks the victim to send a screenshot of payment to alex_pup@list.ru email. The executive file is called подтверждение.exe (the name translates to The Confirmation). It is not a variant of Globe, but it is designed to look similarly to the original virus, most likely to appear more scary. The virus is now decryptable and you can download the free Globe Imposter decrypter from the official Emsisoft website.

Globe3 ransomware has just hit the web which suggests that after unsuccessful attempts with Globe and Globe2, the extortionist have decided to give it another go. The virus has been modified using the same ransomware builder that the hackers have used in the previous virus versions. Globe 3 now uses AES-256 encryption to lock the computer files and adds .decrypt2017 and .hnumkhotep extensions next to their original titles. For the file decryption key, the scammers demand 3 Bitcoin which is a grand sum compared to 0.5 or 1 Bitcoin typically demanded by other ransomware developers. Luckily, you do not have to empty your bank account since virus experts have already come up with a free Globe3 decrypter which you can download by clicking the indicated link. Just do not forget to remove the virus not to get your files locked again!

Ways of distribution

As previously mentioned, Globe hijack occurs after opening the infected email attachments. If you are following the news in the IT world, you may know how advanced the hackers are in persuasion techniques. They make up almost identical tax return or customs declaration forms. Alternatively, cyber criminals create false telecommunication forms asking for confidential information. Some crooks try to convince users into opening the infected attachment by asking to review package delivery attachment. In either case, stay vigilant and avoid recklessly opening the emails even if they look like to be sent from the official institutions. Inquire the company directly to brush aside any hesitations and teach your employees about such viruses as Globe ransomware [5].

Remove Globe malware for good

Regarding the peculiarities of this ransomware and its possible upgrade, you should remove Globe virus automatically. Install FortectIntego or SpyHunter 5Combo Cleaner which will conduct the elimination shortly. These programs provide a powerful protection for the entire operating system. Taking into account the possibility that the ransomware may infect through exploit kits, the presence of such tools is obligatory. However, security programs do not unlock the encrypted files, so you will need to look for data recovery programs. Lastly, if you struggle to start Globe removal because some essential functions of the operating system do not work, feel free to use the guidelines provided below on this page.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Globe virus. Follow these steps

Manual removal using Safe Mode

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Globe using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Globe. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Globe removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Globe from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Globe, you can use several methods to restore them:

Data recovery with Data Recovery Pro method

Try out data recovery using Data Recovery Pro by following these instructions:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Globe ransomware;
  • Restore them.

Data recovery using Windows Previous Versions feature

If you had System Restore function enabled before Globe attack, you can try recovering your files using Windows Previous Versions method here:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Data recovery using ShadowExplorer method

ShadowExplorer detects Shadow Volume Copies of the files stored on the computer. Please note that if these backup files are affected by the virus or deleted from the system completely, this method will not work. 

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Data recovery using Globe decrypter

You can decrypt files locked by this ransomware using a free Globe decrypter, which has been recently released online. This specific tool works for .purge, .globe and.okean-1955@india.com.!dsvgdfvdDVGR3SsdvfEF75sddf#xbkNY45fg6}P{cg.xtbl extensions, so if you are infected with some other, newer variant of Globe, you may have to go back to the above-mentioned methods. 

Victims of Globe2 ransomware should use this tool – Globe2 decrypter.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Globe and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Protect your privacy – employ a VPN

There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals. 

No backups? No problem. Use a data recovery tool

If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.

If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References
Removal guides in other languages