Globe Imposter 2.0 Ransomware

Globe Imposter 2.0 Ransomware Description

Globe Imposter 2.0 Ransomware ScreenshotThe Globe Imposter 2.0 Ransomware is a successor of Globe Imposter, a fake version of the infamous Globe Ransomware Trojan that was released in the final months of 2016. The release of unsophisticated threats disguised as more threatening (and often well-known) threats is a common tactic among con artists, often used to increase the likelihood that the victims of the attack will pay the ransom that these threats demand. The most common way in which the Globe Imposter 2.0 Ransomware is being distributed is through the use of corrupted email attachments. The victims will receive a spam email message with an attached DOCX file, opened in Microsoft Word. This file will include a bad macro script that downloads and installs the Globe Imposter 2.0 Ransomware when the file is opened. Learning how to handle spam email and unsolicited email attachments is an essential aspect of dealing with the Globe Imposter 2.0 Ransomware and similar threats.

How the Globe Imposter 2.0 Ransomware Attack Works

Like other encryption ransomware Trojans, the Globe Imposter 2.0 Ransomware will encrypt the victim's files using the AES 256 encryption. The Globe Imposter 2.0 Ransomware searches for files with certain file extensions and makes them inaccessible, with the intention of taking them hostage so that the victim will pay a ransom amount. After encrypting the victim's data, the Globe Imposter 2.0 Ransomware will display a ransom note on the victim's machine, demanding the payment of a ransom in exchange for the decryption key necessary to recover the affected files. The Globe Imposter 2.0 Ransomware targets 34 different file types, looking for files that are user-generated. Once the files have been encrypted, the Globe Imposter 2.0 Ransomware will add a new file extension to mark each affected file. Different variants of the Globe Imposter 2.0 Ransomware have been observed to add the following file extensions to the affected files:

.bad; .BAG; .FIX; .FIXI; .legally;n .keepcalm; .pizdec; .virginlock[byd@india.com]SON;
.[xalienx@india.com]; .725; .ocean; .rose; .GOTHAM; .HAPP; .write_me_[btc2017@india.com]; .726; .490; n.skunk.

The Globe Imposter 2.0 Ransomware demands a ransom payment that can range from 1 to 10 BitCoins (thousands of dollars!) Several contact email addresses have been associated with the Globe Imposter 2.0 Ransomware attack, including the following:

  • keepcalmpls@india.com;
  • happydaayz@aol.com;
  • strongman@india.com;
  • byd@india.com;
  • xalienx@india.com;
  • 511_made@cyber-wizard.com;
  • btc.me@india.com.

The Globe Imposter 2.0 Ransomware Ransom Note

The Globe Imposter 2.0 Ransomware ransom note varies from one variant to the other. A general ransom note used by the Globe Imposter 2.0 Ransomware variants is an HTA file named 'HOW_OPEN_FILES.hta,' which will be placed on the infected computer's desktop. The following, for reference, is the text of the ransom note used by the previous version of the Globe Imposter 2.0 Ransomware:

'Your files are encrypted!
Your personal ID
***
All your important data has been encrypted. To recover data you need decryptor.
To get the decryptor you should:
pay for decrypt:
site for buy bitcoin:
Buy 1 BTC on one of these sites
1. https://localbitcoins.com
2. https://www.coinbase.com
3. https://xchange.cc
bitcoin adress for pay:
jlHqcdC83***:
Send 1 BTC for decrypt
After the payment:
Send screenshot of payment to alex_pup@list.ru . In the letter include your personal ID (look at the beginning of this document).
After you will receive a decryptor and instructions
Attention!
• No Payment = No decryption
• You realy get the decryptor after payment
• Do not attempt to remove the program or run the anti-virus tools
• Attempts to self-decrypting files will result in the loss of your data
• Decoders other users are not compatible with your data, because each user's unique encryption key'

Dealing with the Globe Imposter 2.0 Ransomware

The best protection against the Globe Imposter 2.0 Ransomware is file backups. Having the power to recover the affected files from a backup undoes the strategy of the Globe Imposter 2.0 Ransomware attackers completely, allowing computer users to restore their files easily. A reliable security program also should be used to protect your computer.

Update November 30th, 2018 — The 'bizarrio@pay4me.in' Ransomware

is a file cryptor Trojan that you may have the misfortune of encountering if you access corrupted documents on your computer. The 'bizarrio@pay4me.in' Ransomware is distributed via spam emails, and it is classified as a mid-tier crypto-threat. You should know that the 'bizarrio@pay4me.in' Ransomware is not a unique cyber-threat. The 'bizarrio@pay4me.in' Ransomware is a new version of the Globe Imposter 2.0 Ransomware, which emerged as a fake version of the Globe Ransomware back in December 2016. The Globe Imposter 2.0 family of malware expanded to include threats like the Kimchenyn Ransomware and the Uridzu Ransomware.

Now, it appears that the program creators have made an effort to produce an improved version that we refer to as the 'bizarrio@pay4me.in' Ransomware. The new version is known to target more than fifty file types and attach a marker to the encrypted objects. The first wave of incidents associated with the Trojan show that it appends the '.crypted_bizarrio@pay4me_in' suffix to filenames. For example, 'Black Library - Howl of the Banshee.epub' is renamed to 'Black Library - Howl of the Banshee.epub.crypted_bizarrio@pay4me_in' and a ransom note named 'how_to_back_files.html' is dropped to the desktop. The ransom notification is likely to be loaded in the system's default Web browser once the malware deletes its files from the Temp folder. The message presented by the 'bizarrio@pay4me.in' Ransomware reads:

'YOUR FILES ARE ENCRYPTED!
Your documents, photos, databases and all the rest files encrypted cryptographically strong algoritm. Without a secret key stored with us, the restoration of your files is impossible
To start the recovery process:
Send an email to: bizarrio@pay4me.in with your personal ID in the message body.
In response, we will send you further instructions on decrypting your files.
Your personal ID:
[random characters]
P.S.
It is in your interest to respond as soon as possible to ensure the recovery of your files, because we will not store your decryption keys on our server for a long time.
Be sure to add our email addresses to the trusted list, in your email client's settings. And also check the folder "Spam" when waiting for an email from us.
If we do not respond to your message for more than 24 hours, write to the back-up email:
bizarrio@venom.io'

We recommend avoiding contact with the ransomware operators via 'bizarrio@venom.io' and 'bizarrio@pay4me.in.' You should remove the 'bizarrio@pay4me.in' Ransomware using a credible anti-malware instrument and load data backups to recover your files. Complying with the ransom demands is not likely to lead to a favorable outcome for you. PC users should take the time to install a backup manager considering the spread of data wipers and ransomware in recent months.

Technical Information

File System Details

Globe Imposter 2.0 Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %SYSTEMDRIVE%\Users\Globo\AppData\Local\575A.tmp.exe\575A.tmp.exe 431,616 86a8e2327f003d25a2abef413473218b 592
2 %WINDIR%\System32\btc2017-india_2017-08-17_11-05.exe 245,248 b4ed40a147d3e280e85b4f40d64a93b4 97
3 %SYSTEMDRIVE%\Users\Sol\AppData\Local\_biz_.exe\_biz_.exe 54,272 31abe8f49b21d4ad3c7ce94839ba507a 69
4 %WINDIR%\System32\btc2017-india_2017-08-17_09-21.exe 245,248 04d852a8b7f29ca797bbdb82eb0ae874 59
5 %SYSTEMDRIVE%\Users\usuario\AppData\Local\AU3_EXE.exe\AU3_EXE.exe 175,616 d78a1829b5c9db3ef2fe01d43cdd91b6 21
6 %SYSTEMDRIVE%\users\administrator\appdata\local\1cmd.exe 54,784 c5f1756ae282f3021e72125a34a01557 3
7 C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c9194550fe425b6e2d9d87371aff4a3114b849ccca60b220fdd37e5d2b5be8d.exe 413,696 70f5ed63c92fea27f8f8e5c2413bf323 2
8 C:\Users\user\AppData\Local\ransomware.exe 57,344 67096c6b443417870c08e655692173b6 1
9 file.exe 273,920 bfc214a781108b92d143b896b56b202b 0
10 7afd55f0c98f65d41f836613d825a895 200,192 7afd55f0c98f65d41f836613d825a895 0
11 IGAMI.exe 424,888 b02dbce0663e5a22bdbe5241110a7a80 0
More files

Registry Details

Globe Imposter 2.0 Ransomware creates the following registry entry or registry entries:
Registry key
Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck
Software\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

One Comment

  • Tony Johnson:

    I was just hit with what looks like Globe2 ransome or something like it

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.