Globe3 Ransomware

Globe3 Ransomware Description

The Globe3 Ransomware is a variant in the Globe Ransomware family that is themed after the popular movie 'The Purge.' The Globe3 Ransomware uses a ransom note, and Desktop picture themed after this movie and appends the extension '.purge' to each file affected during the attack. The Globe3 Ransomware is a typical encryption ransomware variant. The Globe3 Ransomware encrypts the victims' files using a strong encryption method. The Globe3 Ransomware then displays a ransom note that demands that the victim pays a large sum in exchange for the decryption key needed to recover the affected files. Fortunately, PC security analysts have released a decryption utility that can help computer users recover their files after a the Globe3 Ransomware infection.

The Globe3 Ransomware is Another Member of Its Ever-Growing Family

It is likely that the Globe3 Ransomware spreads using spam email attachments. Once the Globe3 Ransomware infects a computer, it first ensures that it is not running on a virtual machine or sandbox environment, used by PC security researchers to test and examine threats in a controlled environment. Once the Globe3 Ransomware determines that it is running on a non-sandbox operating system, it begins its attack, encrypting files on local drives, shared network folders, and external memory devices connected to the infected computer. The Globe3 Ransomware targets nearly one thousand different file types, searching for files that match a list of file extensions in its configuration settings and encrypting them using the Blowfish encryption. After encrypting a file, the Globe3 Ransomware adds the extension '.purge' to the end of the file's name, making it simple to know which files have been affected by the attack.

The Globe3 Ransomware's Ransom Note

The Globe3 Ransomware delivers its ransom note in an HTA file named 'How to restore files.hta' dropped in most directories where files were encrypted. The Globe3 Ransomware changes the affected computer's settings to allow the HTA file to run automatically when Windows starts up. The Globe3 Ransomware's ransom note includes an ID for the infected computer and the Globe3 Ransomware's creator's email address. Below is the full text of the Globe3 Ransomware ransom note:

'Your files are encrypted!
Your personal ID
Your documents, photos, databases, save games and other important data has been encrypted.
Data recovery is required interpreter.
To get the interpreter should pay its costs: 3 Bitcoin (3 BTC).
Cash must be translated into Bitcoin-purse: 18XXV3h9zzzJ1R4v6DiGmfgcooG1Vk9B1m
If you have no Bitcoin
Create a wallet Bitcoin:
Get cryptocurrency Bitcoin: (Visa/MasterCard, QIWI Visa Wallet \xE8 \xE4\xF0.)\xCF\xF0\xE8\xEE\xE1\xF0\xE5\xF2\xE5\xED\xE8\xE5_\xE1\xE8\xF2\xEA\xEE\xE9\xED\xEE\xE2(instruction for beginners)
Send 3 BTC bitcoin address 18XXV3h9zzzJ1R4v6DiGmfgcooG1Vk9B1m
After the payment, send an e-mail address In a letter to indicate your personal identifier.
In a response letter you will receive a program to decrypt.
After start-interpreter program, all your files will be restored.
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders are not compatible with other users of your data because each user's unique encryption key.'

Apart from the ransom note, the Globe3 Ransomware will change the infected computer's Desktop image so that it displays characters from 'The Purge: Election Year,' as well as the message 'You files are encrypted. Pay for decryption please' and the email address

Dealing with the Globe3 Ransomware

Oddly enough, the Globe3 Ransomware includes a debug mode that has helped PC security analysts study how the Globe3 Ransomware works. This has allowed PC security analysts to release a decryption utility to help computer users deal with the Globe3 Ransomware. The decryptor has been confirmed with the Globe3 Ransomware variants that use the extensions .decrypt2017 and .hnumkhotep to identify the encrypted files. However, it is very likely that this decryption utility will work with other variants of the Globe3 Ransomware. PC security analysts advise computer users to ensure that backups of all files are maintained to mitigate the damage of any future ransomware attacks, especially those involving threats for which no decryption utility is available.

Infected with Globe3 Ransomware? Scan Your PC for Free

Download SpyHunter's Spyware Scanner
to Detect Globe3 Ransomware
* SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware removal tool to remove the malware threats. Read more on SpyHunter. If you no longer wish to have SpyHunter installed on your computer, follow these steps to uninstall SpyHunter.

Security Doesn't Let You Download SpyHunter or Access the Internet?

Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics

Our MalwareTracker shows malware activity across the world. Explore real-time data of Globe3 Ransomware outbreaks and other threats from global to local level.

File System Details

Globe3 Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %USERPROFILE%\Read Me Please.hta 85
2 How To Recover Encrypted Files.hta 64
4 %SystemDrive%\Users\Java18\AppData\Local\Read Me Please.hta 5,505 f4c0a7e3ba039b909b54c4bde39063b3 49
5 %ALLUSERSPROFILE%!!! READ THIS - IMPORTANT !!!.hta 3,316 cce128088b1c50564164b5d03e4460e8 48
6 %HOMEDRIVE%\Read Me Please.hta 46
7 %LOCALAPPDATA%trust.exe 64,512 668c83c1f7f13259ab5d1699ea24d17f 46
8 Read Me Please.hta 43
9 !!! READ THIS - IMPORTANT !!!.hta 40
10 %ALLUSERSPROFILE%\Application Data\HOW_OPEN_FILES.hta 4,269 7b4c5af49019bd8edfcb947f9c93f14b 16
11 How To Recover Encrypted Files.html 14
12 %ALLUSERSPROFILE%How To Recover Encrypted Files.hta 4,531 f6c1ab1ad892c5e2d48475b2f5dbec9c 10
13 %SystemDrive%\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How to restore files.hta 22 d9d2a155ffa85b893589f4cadd2c573d 2

Registry Details

Globe3 Ransomware creates the following registry entry or registry entries:
Software\Microsoft\Windows\CurrentVersion\Run, value: How To Recover Encrypted Files

Site Disclaimer

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as is:
What is 3 + 14 ?