Globe Imposter 2.0 Ransomware Description
The Globe Imposter 2.0 Ransomware is a successor of Globe Imposter, a fake version of the infamous Globe Ransomware Trojan that was released in the final months of 2016. The release of unsophisticated threats disguised as more threatening (and often well-known) threats is a common tactic among con artists, often used to increase the likelihood that the victims of the attack will pay the ransom that these threats demand. The most common way in which the Globe Imposter 2.0 Ransomware is being distributed is through the use of corrupted email attachments. The victims will receive a spam email message with an attached DOCX file, opened in Microsoft Word. This file will include a bad macro script that downloads and installs the Globe Imposter 2.0 Ransomware when the file is opened. Learning how to handle spam email and unsolicited email attachments is an essential aspect of dealing with the Globe Imposter 2.0 Ransomware and similar threats.
How the Globe Imposter 2.0 Ransomware Attack Works
Like other encryption ransomware Trojans, the Globe Imposter 2.0 Ransomware will encrypt the victim's files using the AES 256 encryption. The Globe Imposter 2.0 Ransomware searches for files with certain file extensions and makes them inaccessible, with the intention of taking them hostage so that the victim will pay a ransom amount. After encrypting the victim's data, the Globe Imposter 2.0 Ransomware will display a ransom note on the victim's machine, demanding the payment of a ransom in exchange for the decryption key necessary to recover the affected files. The Globe Imposter 2.0 Ransomware targets 34 different file types, looking for files that are user-generated. Once the files have been encrypted, the Globe Imposter 2.0 Ransomware will add a new file extension to mark each affected file. Different variants of the Globe Imposter 2.0 Ransomware have been observed to add the following file extensions to the affected files:
.bad; .BAG; .FIX; .FIXI; .legally;n .keepcalm; .pizdec; .virginlock[firstname.lastname@example.org]SON;
.[email@example.com]; .725; .ocean; .rose; .GOTHAM; .HAPP; .write_me_[firstname.lastname@example.org]; .726; .490; n.skunk.
The Globe Imposter 2.0 Ransomware demands a ransom payment that can range from 1 to 10 BitCoins (thousands of dollars!) Several contact email addresses have been associated with the Globe Imposter 2.0 Ransomware attack, including the following:
The Globe Imposter 2.0 Ransomware Ransom Note
The Globe Imposter 2.0 Ransomware ransom note varies from one variant to the other. A general ransom note used by the Globe Imposter 2.0 Ransomware variants is an HTA file named 'HOW_OPEN_FILES.hta,' which will be placed on the infected computer's desktop. The following, for reference, is the text of the ransom note used by the previous version of the Globe Imposter 2.0 Ransomware:
'Your files are encrypted!
Your personal ID
All your important data has been encrypted. To recover data you need decryptor.
To get the decryptor you should:
pay for decrypt:
site for buy bitcoin:
Buy 1 BTC on one of these sites
bitcoin adress for pay:
Send 1 BTC for decrypt
After the payment:
Send screenshot of payment to email@example.com . In the letter include your personal ID (look at the beginning of this document).
After you will receive a decryptor and instructions
• No Payment = No decryption
• You realy get the decryptor after payment
• Do not attempt to remove the program or run the anti-virus tools
• Attempts to self-decrypting files will result in the loss of your data
• Decoders other users are not compatible with your data, because each user's unique encryption key'
Dealing with the Globe Imposter 2.0 Ransomware
The best protection against the Globe Imposter 2.0 Ransomware is file backups. Having the power to recover the affected files from a backup undoes the strategy of the Globe Imposter 2.0 Ransomware attackers completely, allowing computer users to restore their files easily. A reliable security program also should be used to protect your computer.
Update November 30th, 2018 — The 'firstname.lastname@example.org' Ransomware
is a file cryptor Trojan that you may have the misfortune of encountering if you access corrupted documents on your computer. The 'email@example.com' Ransomware is distributed via spam emails, and it is classified as a mid-tier crypto-threat. You should know that the 'firstname.lastname@example.org' Ransomware is not a unique cyber-threat. The 'email@example.com' Ransomware is a new version of the Globe Imposter 2.0 Ransomware, which emerged as a fake version of the Globe Ransomware back in December 2016. The Globe Imposter 2.0 family of malware expanded to include threats like the Kimchenyn Ransomware and the Uridzu Ransomware.
Now, it appears that the program creators have made an effort to produce an improved version that we refer to as the 'firstname.lastname@example.org' Ransomware. The new version is known to target more than fifty file types and attach a marker to the encrypted objects. The first wave of incidents associated with the Trojan show that it appends the '.crypted_bizarrio@pay4me_in' suffix to filenames. For example, 'Black Library - Howl of the Banshee.epub' is renamed to 'Black Library - Howl of the Banshee.epub.crypted_bizarrio@pay4me_in' and a ransom note named 'how_to_back_files.html' is dropped to the desktop. The ransom notification is likely to be loaded in the system's default Web browser once the malware deletes its files from the Temp folder. The message presented by the 'email@example.com' Ransomware reads:
'YOUR FILES ARE ENCRYPTED!
Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm. Without a secret key stored with us, the restoration of your files is impossible
To start the recovery process:
Send an email to: firstname.lastname@example.org with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
Your personal ID:
It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.
Be sure to add our email addresses to the trusted list, in your email client's settings. And also check the folder "Spam" when waiting for an email from us.
If we do not respond to your message for more than 24 hours, write to the back-up email:
We recommend avoiding contact with the ransomware operators via 'email@example.com' and 'firstname.lastname@example.org.' You should remove the 'email@example.com' Ransomware using a credible anti-malware instrument and load data backups to recover your files. Complying with the ransom demands is not likely to lead to a favorable outcome for you. PC users should take the time to install a backup manager considering the spread of data wipers and ransomware in recent months.
File System Details
|#||File Name||Size||MD5||Detection Count|
This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.