Globe3 Ransomware

The Globe3 Ransomware is a variant in the Globe Ransomware family that is themed after the popular movie 'The Purge.' The Globe3 Ransomware uses a ransom note, and Desktop picture themed after this movie and appends the extension '.purge' to each file affected during the attack. The Globe3 Ransomware is a typical encryption ransomware variant. The Globe3 Ransomware encrypts the victims' files using a strong encryption method. The Globe3 Ransomware then displays a ransom note that demands that the victim pays a large sum in exchange for the decryption key needed to recover the affected files. Fortunately, PC security analysts have released a decryption utility that can help computer users recover their files after a the Globe3 Ransomware infection.

The Globe3 Ransomware is Another Member of Its Ever-Growing Family

It is likely that the Globe3 Ransomware spreads using spam email attachments. Once the Globe3 Ransomware infects a computer, it first ensures that it is not running on a virtual machine or sandbox environment, used by PC security researchers to test and examine threats in a controlled environment. Once the Globe3 Ransomware determines that it is running on a non-sandbox operating system, it begins its attack, encrypting files on local drives, shared network folders, and external memory devices connected to the infected computer. The Globe3 Ransomware targets nearly one thousand different file types, searching for files that match a list of file extensions in its configuration settings and encrypting them using the Blowfish encryption. After encrypting a file, the Globe3 Ransomware adds the extension '.purge' to the end of the file's name, making it simple to know which files have been affected by the attack.

The Globe3 Ransomware’s Ransom Note

The Globe3 Ransomware delivers its ransom note in an HTA file named 'How to restore files.hta' dropped in most directories where files were encrypted. The Globe3 Ransomware changes the affected computer's settings to allow the HTA file to run automatically when Windows starts up. The Globe3 Ransomware's ransom note includes an ID for the infected computer and the Globe3 Ransomware's creator's email address. Below is the full text of the Globe3 Ransomware ransom note:

'Your files are encrypted!
Your personal ID
{{IDENTIFIER}}
Your documents, photos, databases, save games and other important data has been encrypted.
Data recovery is required interpreter.
To get the interpreter should pay its costs: 3 Bitcoin (3 BTC).
Cash must be translated into Bitcoin-purse: 18XXV3h9zzzJ1R4v6DiGmfgcooG1Vk9B1m
If you have no Bitcoin
Create a wallet Bitcoin: https://blockchain.info/ru/wallet/new
Get cryptocurrency Bitcoin:
https://localbitcoins.com/ru/buy_bitcoins (Visa/MasterCard, QIWI Visa Wallet \xE8 \xE4\xF0.)
https://ru.bitcoin.it/wiki/\xCF\xF0\xE8\xEE\xE1\xF0\xE5\xF2\xE5\xED\xE8\xE5_\xE1\xE8\xF2\xEA\xEE\xE9\xED\xEE\xE2(instruction for beginners)
Send 3 BTC bitcoin address 18XXV3h9zzzJ1R4v6DiGmfgcooG1Vk9B1m
After the payment, send an e-mail address decrypt2017@india.com. In a letter to indicate your personal identifier.
In a response letter you will receive a program to decrypt.
After start-interpreter program, all your files will be restored.
Attention!
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders are not compatible with other users of your data because each user's unique encryption key.'

Apart from the ransom note, the Globe3 Ransomware will change the infected computer's Desktop image so that it displays characters from 'The Purge: Election Year,' as well as the message 'You files are encrypted. Pay for decryption please' and the email address powerbase@tutanota.com.

Dealing with the Globe3 Ransomware

Oddly enough, the Globe3 Ransomware includes a debug mode that has helped PC security analysts study how the Globe3 Ransomware works. This has allowed PC security analysts to release a decryption utility to help computer users deal with the Globe3 Ransomware. The decryptor has been confirmed with the Globe3 Ransomware variants that use the extensions .decrypt2017 and .hnumkhotep to identify the encrypted files. However, it is very likely that this decryption utility will work with other variants of the Globe3 Ransomware. PC security analysts advise computer users to ensure that backups of all files are maintained to mitigate the damage of any future ransomware attacks, especially those involving threats for which no decryption utility is available.

SpyHunter Detects & Remove Globe3 Ransomware