Ransomware Research

GlobeImposter Ransomware

GlobeImposter is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on December 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Fake Globe, GlobeImposter NextGen, FakeGlobeImposter, GlobeImposterImitator.

Quick Facts

Ransomware Family
GlobeImposter
First Seen
December 1, 2016
Known Aliases
Fake GlobeGlobeImposter NextGenFakeGlobeImposterGlobeImposterImitator

How GlobeImposter Ransomware Works

Targeted Files

https://www.hybrid-analysis.com/sample/0eba3152530bc8088dfc4893da6fa7c9a87dfed8a18ae2850188e0e01c4f37e5?environmentId=100 https://app.any.run/tasks/e8ebd6da-ba18-4264-a9a5-def429300cc5/ https://app.any.run/tasks/e97df7a2-ed81-49bb-b79e-245e24498b73/ https://app.any.run/tasks/2bd3de9a-a023-4112-b8cc-0889c91f6c68/ https://www.joesandbox.com/analysis/559494/0/html 1f2603d894a386d018667354a660d22cf6317b31ba93b47711980b42bc82ac6f -> Doesn't change filenames 70406206c77dccf034d893495cfeac1cb89066375f57947dfdcf139a575e8663 -> dropper ae0d28e8d57329866624ec6cf63b9609fe9e685200029d3aa207eda67747fcd7 -> require C&C (can be emulated with FakeNetNG)

File Encryption Patterns

GlobeImposter modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..hotprice8..SEXY+..crypted_nakanishi@india_com..Rooster4444..[Zfile@Tuta.Io]..write_us_on_email..apk..suddentax..sea..crypt..[paradisecity@cock.li].arena..pizdec..FIX..keepcalm..FIXI..vdul..2cXpCihgsVxB3..hNcrypt..virginprotection..oni..707..s1crypt..au1crypt..GOTHAM..HAPP..{asnaeb7@india.com}.BRT92..725..skunk..mtk118..coded..astra..492..490...txt..rumblegoodboy..0402..4035..trump..{saruman7@india.com}.BRT92..lock..BUSH..f1crypt..clinTON..nopasaran..crypted_steffevendeng@post_com..911..f41o1..foste..MAKGR..pliNGY..PLIN..POHU..foster..fuck..Chartogy..crypted_urid@aaathats3as.com..CHAK..LIN....doc..decoder..crypted_yoshikada@cock_lu..<lxgiwyl@india.com>.AK47..btc..{omnoomnoomf@aol.com}BIT..TRUE..[proof3200@tutanota.com]..[kps228@yandex.com]..kimchenyn..SEXY..PANDA..{colin_farel@aol.com}BIT..Ipcrestore..deryptme..abc..doc..arena..wallet...doc..[jakartatv@india.com]..MENTO$..gif..Nutella..{GALAXYGUARDS@PROTONMAIL.COM}IQ..blockchain..waiting4keys..crypted..SEXY3..[swon50@inbox.ru]..xxxxx..SKUNK+..crypted_aoki@airmail_cc...readme..ihelperpc..emilysupp..billingsupp..Alkohol..BIG4+..ONYX..MARK..BOOTY..crypto..BUNNY..Gust..irestorei..STG..[dsupport@protonmail.com]..f49idjty..siliconex..[backfiles2018@qq.com].crypt..FORESTGUST...FORESTGUST..ms..crypted_okumura@firemail_cc..{incredible0ansha@tuta.io}.ARA..crypted_iwasaki@420blaze_it..RESERVE..crypted_agreciano@india_com..[janetcurley]..readme..Ox4444..crypted_bizarrio@pay4me_in..write_me[supp_24_7@outlook.com]..healforyou..{Benjamin_Jack2811@aol.com}.AOL..SATANA..happycrypto..writeme..pptm..ppam..forcrypt..crypted_luedtkis@feudtory_com..ANAMI..SAMBO..ALCO..Alco4444..{mattpear@protonmail.com}MTP..san..[Coffix@Tuta.Io]..{CALLMEGOAT@PROTONMAIL.COM}CMG..crypt_sherhagdomski@godzym_bid..IGAMI..ciphered..restorefiles666..cryptopay12..[velasquez.joeli@aol.com]..Tiger4444..tabufa..eztop..DOCM..Pig4444..{Killback@protonmail.com}KBK..[blellockr@godzym.me].bkc..SECURE..[cartmelsutton@venom.io].crypt..z1..z1.crypt..[lindsherrod@taholo.co].btc..[frazeketcham@cnidia.com].eth..luboversova148..{dresdent@protonmail.com}DDT..shelbyboom..docx.[a.wyper@bejants.com].xrp..makkonahi..decrypt019..[gustafkeach@johnpino.com].ad..tanos..gustafkeach@johnpino.ad..bestdecoder..Erenahen..[a.wyper@bejants.com].xrp..badday..[sill@tuta.io]..sanders4..[kingsleygovan@krnas.com].crypt..CILLA..[ponce.lorena@aol.com]..happythreechoose..{indus37098@india.com}ZYX..happychoose..[taargo@olszyn.com].taargo..[damerg@wothi.com].damerg..ERROR..MORT..C4H..xls..crypted_monkserenen@tvstar_com..lockis..[Merlen@Keemail.Me]..restore@goat.si..Darkbit..Globeimposter-Alpha865qqz..[TorS@Tuta.Io]..zuzya..CC4H..Dog4444..Locked..encrypt..needdecrypt..blscrypt..Goat4444..docx..p1crypt..restorefile@india.com..exe..KENS@TUTA.IO..DREAM..rose...rtf..A1crypt..crypt(kippbrundell@magte.ch)..crypt_SAN..3ncrypt3d..dcom..ABDUL..BONUM..ocean..crypted_yasuda@firemail_cc..paycyka..write_me_[btc2017@india.com]..D2550A49BF52DFC23F2C013C5..crypted_zerwix@airmail_cc..stern..crypted_uridzu@aaathats3as_com..Globeimposter-Alpha666qqz..bobelectron..Dragon4444..PPTX..FIT..Globeimposter-Zeta865qqz..helpinc

Ransom Note and Payment Demands

After encrypting files, GlobeImposter displays ransom notes demanding payment for file recovery:

fileHelp Restore.hta

Ransom message:

notes/Help Restore.hta

Note locations:

EveryFolder
filerecover files.hta

Ransom message:

notes/recover files.hta

Note locations:

EveryFolder
fileread_it.txt

Ransom message:

notes/read_it.txt

Note locations:

EveryFolder
fileread-me.txt

Ransom message:

notes/read-me.txt

Note locations:

EveryFolder
filehow_to_back_files.html

Ransom message:

notes/how_to_back_files.html

Note locations:

EveryFolder
filehow_to_recover_files.html
fileRECOVERY_DARKBIT.txt

Ransom message:

notes/RECOVERY_DARKBIT.txt

Note locations:

EveryFolder
fileRead___ME.html

Ransom message:

notes/Read___ME.html

Note locations:

EveryFolder
filefree_files!.html

Ransom message:

notes/free_files!.html

Note locations:

EveryFolder
fileHOW TO DECRYPT FILES.TXT
file!!!README!!!
fileRECOVER-FILES.html

Ransom message:

notes/RECOVER-FILES.html

Note locations:

EveryFolder
fileMESSAGE.html

Ransom message:

notes/MESSAGE.html

Note locations:

EveryFolder
file#HOW_DECRYPT_FILES#.html

Ransom message:

notes/#HOW_DECRYPT_FILES#.html

Note locations:

EveryFolder
file$DECRYPT_YOUR_FILES$.html

Ransom message:

notes/$DECRYPT_YOUR_FILES$.html

Note locations:

EveryFolder
file!back_files!.html

Ransom message:

notes/!back_files!.html

Note locations:

EveryFolder
filehere_your_files!.html

Ransom message:

notes/here_your_files!.html

Note locations:

EveryFolder
fileRead_Me.html

Ransom message:

notes/Read_Me.html

Note locations:

EveryFolder
file!your_files!.html

Ransom message:

notes/!your_files!.html

Note locations:

EveryFolder
fileYOU_FILES_HERE.txt

Ransom message:

notes/YOU_FILES_HERE.txt

Note locations:

EveryFolder
file!SOS!.html

Ransom message:

notes/!SOS!.html

Note locations:

EveryFolder
file#DECRYPT_FILES#.html
fileREAD_IT.html

Ransom message:

notes/READ_IT.html

Note locations:

EveryFolder
fileInstructions.txt
fileHELP.hta

Ransom message:

notes/HELP.hta

Note locations:

Roaming
file#HOU_DECRYPT_ALL#.html
fileinstruction.html
fileFILES ENCRYPTED.html
fileinstructions.html

Ransom message:

notes/instructions.html

Note locations:

EveryFolder
fileREAD_ME.txt

Ransom message:

notes/READ_ME.txt

Note locations:

EveryFolder
fileREAD__ME.html

Ransom message:

notes/READ__ME.html

Note locations:

EveryFolder
fileFILES ENCRYPTED
filedoc.html
fileКак_вернуть_файлы.html
fileHOW_TO_BACK_FILES.html
fileRead_ME.html

Ransom message:

notes/Read_ME.html

Note locations:

EveryFolder
fileRead_For_Restore_File.html
fileHow to restore your files.hta
fileHOW_TO_RECOVER_FILES.html
filedoc.html
file$DECRYPT$.html
fileHow_to_decrypt_files.html
fileReadme.html
fileHOW_TO_BACK_FILES.txt

Ransom message:

notes/HOW_TO_BACK_FILES.txt

Note locations:

EveryFolder
filesupport.html

Ransom message:

notes/support.html

Note locations:

EveryFolder
fileRestore-My-Files.txt

Ransom message:

notes/Restore-My-Files.txt

Note locations:

EveryFolder
filehow_to_back_files.htm
fileHOW TO BACK YOUR FILES.txt
fileDECRYPT FILES.TXT
fileHOW_RECOVER.html

Ransom message:

notes/HOW_RECOVER.html

Note locations:

EveryFolder
file!INSTRUCTI0NS!.TXT

Ransom message:

notes/!INSTRUCTI0NS!.TXT

Note locations:

EveryFolder
fileHOW TO BACK YOUR FILES.TXT
filedecrypt_files.html
fileHowToBackFiles.html
filehow_to_open_files.html

Ransom message:

notes/how_to_open_files.html

Note locations:

EveryFolder
fileread_for_restore_file.html
filehelp you.txt

Ransom message:

notes/help you.txt

Note locations:

EveryFolder
fileDecryption INFO.html

Ransom message:

notes/Decryption INFO.html

Note locations:

EveryFolder
fileMy_Files.txt
file!!!HOW_TO_BACK_FILES!!!.html

Ransom message:

notes/!!!HOW_TO_BACK_FILES!!!.html

Note locations:

EveryFolder

Technical Indicators

Associated Executable Files

The following executable files are associated with GlobeImposter ransomware:

  • cyber_chinya.exe
  • подтверждение.exe
  • gen_vk.exe
  • 2-0.5.exe
  • oni.exe
  • oni.exe_org
  • 9b.exe
  • d104.exe
  • kqhtzxaerb.exe
  • StandardSignals
  • Shown
  • spacelol.kaf_decrypted
  • ???? - ????? ????????.scr
  • DOCU11072017 - ?????.scr
  • Июль - новый документ.scr
  • Копия за июль.scr
  • DOCU11072017 - копия.scr
  • file.scr
  • Июль - новый документ.scr
  • - .scr
  • Trojan.Ransom.GlobeImposter.exe
  • Purgen.exe
  • GlobeImposter_Gotham_Variant.exe
  • svchost.exe
  • globeimposter_gotham_variant.exe
  • GlobeImposter_Happ_or_Crypt_Variant.exe
  • PascalABCNET.exe
  • 26591.exe
  • executable.exe
  • HPLaserJetService.exe
  • globe.exe
  • 3
  • 3.2
  • INV-000342.vbs
  • System.exe
  • 1.dat
  • 113810.exe
  • 174394.exe
  • 1.dat.exe
  • Modifiable Irqs
  • Interl thesaurus service.exe
  • 30.exe
  • 30.11.2017.scr
  • 30 ???????.scr
  • 2.exe
  • 30 .scr
  • 30 октября.scr
  • globeimposter.exe
  • 1.exe
  • moi_09_11_2017.exe
  • chess.exe.old
  • chess.exe
  • GlobeImposter.exe
  • 06c82e99.gxe
  • UYTd46732
  • UYTd46732.exe
  • 06.12.17.scr
  • 06.12.17 ?????.scr
  • 06.12.scr
  • tOldHSYW
  • file.exe
  • rWRCCRTqJ2.exe
  • tOldHSYW.exe
  • a (144).exe
  • virus (110).exe
  • 3c701aa9.gxe
  • myfile.exe
  • toldhsyw.exe
  • Nbd
  • 22 ??????.scr~.~VIRUS~
  • 22 ??????.scr
  • 22 января 2018.scr
  • 22 янв.scr
  • 22 ???????????.scr
  • 22 янв.xxx
  • 22 янв.scr (3)
  • 22 ?????? 2018.scr
  • 22 .scr
  • 22 ???.scr
  • 64secondmix.exe
  • service_viewer.exe
  • IntelManagerService.exe
  • suspect01.exe
  • Resume.doc.bin
  • conhost.exe
  • cmd
  • Intel Core Update.exe
  • globeimposter
  • SEXY3.EXE
  • 勒索.exe
  • test_v.doc
  • svhost.exe
  • font.bin
  • font.exe
  • 1anami2.exe
  • abat.exe
  • cmd.exe
  • _ski_.exe
  • BulkFileChanger
  • BulkFileChanger.exe
  • 43755.exe_
  • graf
  • Graf_b2.exe
  • velasquez.joeli.exe
  • TlJjg.bin
  • rdfg546fgh.exe
  • dplaysvr.exe
  • ChromeSetup.exe
  • 9CXZLII4.exe
  • _lio_.exe
  • DJ0507.EXE
  • tanos.exe
  • Erenahen.exe
  • _gke_.exe
  • _ayr_.exe
  • d_upd1008.exe
  • SYSTEM.EXE
  • lorena.bin
  • HAPPYTHREE.EXE
  • _aro.exe
  • __aro.bin
  • lockisdog.bin
  • lockisdog.exe
  • _yosKa4_.exe
  • IntelTheasurusService.exe
  • lock.exe
  • HAPPYTHREE.EXE.exe
  • winlogon.exe
  • bit.exe
  • sb_373999_bs
  • 8curse.exe
  • 重要書類.exe
  • darkbit.exe
  • Tenorshare 4mekeyy.exe
  • wlnlogon.exe
  • TuRKey_RanSOmWarE.exe
  • System.ini.exe
  • TuRKey_RanSOmWarE.bin
  • Netflorist Coupon Generator.exe
  • Netflorist.exe
  • f0l883C310jlvRp.exe
  • clown.exe
  • ETH 200.exe
  • sql_service.exe
  • software.exe
  • star.exe
  • 1[1].dat
  • apkcrypt.exe
  • zmt.exe
  • rooster4444.exe
  • xrzrgjts.exe
  • ADOBE ACROBAT UPDATE SERVICE.EXE
  • FastEncrypt.EXE
  • _nak_.exe

Recovery and Decryption Tools

Good news! Decryption tools are available for GlobeImposter ransomware:

0

Elastio Can Help You

Don't let GlobeImposter ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

About This Analysis

This GlobeImposter ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like GlobeImposter.

Last updated: July 30, 2025

GlobeImposter Ransomware - Detectable by Elastio