Threat Database Ransomware Globe Imposter 2.0 Ransomware

Globe Imposter 2.0 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 17,016
Threat Level: 100 % (High)
Infected Computers: 5,568
First Seen: August 8, 2017
Last Seen: July 2, 2023
OS(es) Affected: Windows

Globe Imposter 2.0 Ransomware Image

The Globe Imposter 2.0 Ransomware is a successor of Globe Imposter, a fake version of the infamous Globe Ransomware Trojan that was released in the final months of 2016. The release of unsophisticated threats disguised as more threatening (and often well-known) threats is a common tactic among con artists, often used to increase the likelihood that the victims of the attack will pay the ransom that these threats demand. The most common way in which the Globe Imposter 2.0 Ransomware is being distributed is through the use of corrupted email attachments. The victims will receive a spam email message with an attached DOCX file, opened in Microsoft Word. This file will include a bad macro script that downloads and installs the Globe Imposter 2.0 Ransomware when the file is opened. Learning how to handle spam email and unsolicited email attachments is an essential aspect of dealing with the Globe Imposter 2.0 Ransomware and similar threats.

How the Globe Imposter 2.0 Ransomware Attack Works

Like other encryption ransomware Trojans, the Globe Imposter 2.0 Ransomware will encrypt the victim's files using the AES 256 encryption. The Globe Imposter 2.0 Ransomware searches for files with certain file extensions and makes them inaccessible, with the intention of taking them hostage so that the victim will pay a ransom amount. After encrypting the victim's data, the Globe Imposter 2.0 Ransomware will display a ransom note on the victim's machine, demanding the payment of a ransom in exchange for the decryption key necessary to recover the affected files. The Globe Imposter 2.0 Ransomware targets 34 different file types, looking for files that are user-generated. Once the files have been encrypted, the Globe Imposter 2.0 Ransomware will add a new file extension to mark each affected file. Different variants of the Globe Imposter 2.0 Ransomware have been observed to add the following file extensions to the affected files:

.bad; .BAG; .FIX; .FIXI; .legally;n .keepcalm; .pizdec; .virginlock[]SON;
.[]; .725; .ocean; .rose; .GOTHAM; .HAPP; .write_me_[]; .726; .490; n.skunk.

The Globe Imposter 2.0 Ransomware demands a ransom payment that can range from 1 to 10 BitCoins (thousands of dollars!) Several contact email addresses have been associated with the Globe Imposter 2.0 Ransomware attack, including the following:


The Globe Imposter 2.0 Ransomware Ransom Note

The Globe Imposter 2.0 Ransomware ransom note varies from one variant to the other. A general ransom note used by the Globe Imposter 2.0 Ransomware variants is an HTA file named 'HOW_OPEN_FILES.hta,' which will be placed on the infected computer's desktop. The following, for reference, is the text of the ransom note used by the previous version of the Globe Imposter 2.0 Ransomware:

'Your files are encrypted!
Your personal ID
All your important data has been encrypted. To recover data you need decryptor.
To get the decryptor you should:
pay for decrypt:
site for buy bitcoin:
Buy 1 BTC on one of these sites
bitcoin adress for pay:
Send 1 BTC for decrypt
After the payment:
Send screenshot of payment to . In the letter include your personal ID (look at the beginning of this document).
After you will receive a decryptor and instructions
• No Payment = No decryption
• You realy get the decryptor after payment
• Do not attempt to remove the program or run the anti-virus tools
• Attempts to self-decrypting files will result in the loss of your data
• Decoders other users are not compatible with your data, because each user's unique encryption key'

Dealing with the Globe Imposter 2.0 Ransomware

The best protection against the Globe Imposter 2.0 Ransomware is file backups. Having the power to recover the affected files from a backup undoes the strategy of the Globe Imposter 2.0 Ransomware attackers completely, allowing computer users to restore their files easily. A reliable security program also should be used to protect your computer.

Update November 30th, 2018 — The '' Ransomware

is a file cryptor Trojan that you may have the misfortune of encountering if you access corrupted documents on your computer. The '' Ransomware is distributed via spam emails, and it is classified as a mid-tier crypto-threat. You should know that the '' Ransomware is not a unique cyber-threat. The '' Ransomware is a new version of the Globe Imposter 2.0 Ransomware, which emerged as a fake version of the Globe Ransomware back in December 2016. The Globe Imposter 2.0 family of malware expanded to include threats like the Kimchenyn Ransomware and the Uridzu Ransomware.

Now, it appears that the program creators have made an effort to produce an improved version that we refer to as the '' Ransomware. The new version is known to target more than fifty file types and attach a marker to the encrypted objects. The first wave of incidents associated with the Trojan show that it appends the '.crypted_bizarrio@pay4me_in' suffix to filenames. For example, 'Black Library - Howl of the Banshee.epub' is renamed to 'Black Library - Howl of the Banshee.epub.crypted_bizarrio@pay4me_in' and a ransom note named 'how_to_back_files.html' is dropped to the desktop. The ransom notification is likely to be loaded in the system's default Web browser once the malware deletes its files from the Temp folder. The message presented by the '' Ransomware reads:

Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm. Without a secret key stored with us, the restoration of your files is impossible
To start the recovery process:
Send an email to: with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
Your personal ID:
[random characters]
It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.
Be sure to add our email addresses to the trusted list, in your email client's settings. And also check the folder "Spam" when waiting for an email from us.
If we do not respond to your message for more than 24 hours, write to the back-up email:'

We recommend avoiding contact with the ransomware operators via '' and '' You should remove the '' Ransomware using a credible anti-malware instrument and load data backups to recover your files. Complying with the ransom demands is not likely to lead to a favorable outcome for you. PC users should take the time to install a backup manager considering the spread of data wipers and ransomware in recent months.

SpyHunter Detects & Remove Globe Imposter 2.0 Ransomware

File System Details

Globe Imposter 2.0 Ransomware may create the following file(s):
# File Name MD5 Detections
1. 575A.tmp.exe 86a8e2327f003d25a2abef413473218b 594
2. btc2017-india_2017-08-17_11-05.exe b4ed40a147d3e280e85b4f40d64a93b4 97
3. btc2017-india_2017-08-17_09-21.exe 04d852a8b7f29ca797bbdb82eb0ae874 59
4. AU3_EXE.exe d78a1829b5c9db3ef2fe01d43cdd91b6 21
5. dcom-ransomware.exe afe5f38b22233a2f63b5527da807cf10 5
6. 0c9194550fe425b6e2d9d87371aff4a3114b849ccca60b220fdd37e5d2b5be8d.exe 70f5ed63c92fea27f8f8e5c2413bf323 2
7. file.exe 1905c6ac4e63e975690669fa183943bf 1
8. file.exe 8552042bd59e3ff6b9fb97f5f7778ee1 1
9. file.exe bfc214a781108b92d143b896b56b202b 0
10. 7afd55f0c98f65d41f836613d825a895 7afd55f0c98f65d41f836613d825a895 0
11. IGAMI.exe b02dbce0663e5a22bdbe5241110a7a80 0

Registry Details

Globe Imposter 2.0 Ransomware may create the following registry entry or registry entries:

1 Comment

I was just hit with what looks like Globe2 ransome or something like it


Most Viewed