- Home
Detectable Ransomware GlobeImposter
Ransomware Research
GlobeImposter Ransomware
GlobeImposter is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on December 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Fake Globe, GlobeImposter NextGen, FakeGlobeImposter, GlobeImposterImitator.
Quick Facts
- Ransomware Family
- GlobeImposter
- First Seen
- December 1, 2016
- Known Aliases
- Fake GlobeGlobeImposter NextGenFakeGlobeImposterGlobeImposterImitator
How GlobeImposter Ransomware Works
Targeted Files
https://www.hybrid-analysis.com/sample/0eba3152530bc8088dfc4893da6fa7c9a87dfed8a18ae2850188e0e01c4f37e5?environmentId=100 https://app.any.run/tasks/e8ebd6da-ba18-4264-a9a5-def429300cc5/ https://app.any.run/tasks/e97df7a2-ed81-49bb-b79e-245e24498b73/ https://app.any.run/tasks/2bd3de9a-a023-4112-b8cc-0889c91f6c68/ https://www.joesandbox.com/analysis/559494/0/html 1f2603d894a386d018667354a660d22cf6317b31ba93b47711980b42bc82ac6f -> Doesn't change filenames 70406206c77dccf034d893495cfeac1cb89066375f57947dfdcf139a575e8663 -> dropper ae0d28e8d57329866624ec6cf63b9609fe9e685200029d3aa207eda67747fcd7 -> require C&C (can be emulated with FakeNetNG)
File Encryption Patterns
GlobeImposter modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..hotprice8
..SEXY+
..crypted_nakanishi@india_com
..Rooster4444
..[Zfile@Tuta.Io]
..write_us_on_email
..apk
..suddentax
..sea
..crypt
..[paradisecity@cock.li].arena
..pizdec
..FIX
..keepcalm
..FIXI
..vdul
..2cXpCihgsVxB3
..hNcrypt
..virginprotection
..oni
..707
..s1crypt
..au1crypt
..GOTHAM
..HAPP
..{asnaeb7@india.com}.BRT92
..725
..skunk
..mtk118
..coded
..astra
..492
..490
...txt
..rumblegoodboy
..0402
..4035
..trump
..{saruman7@india.com}.BRT92
..lock
..BUSH
..f1crypt
..clinTON
..nopasaran
..crypted_steffevendeng@post_com
..911
..f41o1
..foste
..MAKGR
..pliNGY
..PLIN
..POHU
..foster
..fuck
..Chartogy
..crypted_urid@aaathats3as.com
..CHAK
..LIN
....doc
..decoder
..crypted_yoshikada@cock_lu
..<lxgiwyl@india.com>.AK47
..btc
..{omnoomnoomf@aol.com}BIT
..TRUE
..[proof3200@tutanota.com]
..[kps228@yandex.com]
..kimchenyn
..SEXY
..PANDA
..{colin_farel@aol.com}BIT
..Ipcrestore
..deryptme
..abc
..doc
..arena
..wallet
...doc
..[jakartatv@india.com]
..MENTO$
..gif
..Nutella
..{GALAXYGUARDS@PROTONMAIL.COM}IQ
..blockchain
..waiting4keys
..crypted
..SEXY3
..[swon50@inbox.ru]
..xxxxx
..SKUNK+
..crypted_aoki@airmail_cc
...readme
..ihelperpc
..emilysupp
..billingsupp
..Alkohol
..BIG4+
..ONYX
..MARK
..BOOTY
..crypto
..BUNNY
..Gust
..irestorei
..STG
..[dsupport@protonmail.com]
..f49idjty
..siliconex
..[backfiles2018@qq.com].crypt
..FORESTGUST
...FORESTGUST
..ms
..crypted_okumura@firemail_cc
..{incredible0ansha@tuta.io}.ARA
..crypted_iwasaki@420blaze_it
..RESERVE
..crypted_agreciano@india_com
..[janetcurley]
..readme
..Ox4444
..crypted_bizarrio@pay4me_in
..write_me[supp_24_7@outlook.com]
..healforyou
..{Benjamin_Jack2811@aol.com}.AOL
..SATANA
..happycrypto
..writeme
..pptm
..ppam
..forcrypt
..crypted_luedtkis@feudtory_com
..ANAMI
..SAMBO
..ALCO
..Alco4444
..{mattpear@protonmail.com}MTP
..san
..[Coffix@Tuta.Io]
..{CALLMEGOAT@PROTONMAIL.COM}CMG
..crypt_sherhagdomski@godzym_bid
..IGAMI
..ciphered
..restorefiles666
..cryptopay12
..[velasquez.joeli@aol.com]
..Tiger4444
..tabufa
..eztop
..DOCM
..Pig4444
..{Killback@protonmail.com}KBK
..[blellockr@godzym.me].bkc
..SECURE
..[cartmelsutton@venom.io].crypt
..z1
..z1.crypt
..[lindsherrod@taholo.co].btc
..[frazeketcham@cnidia.com].eth
..luboversova148
..{dresdent@protonmail.com}DDT
..shelbyboom
..docx.[a.wyper@bejants.com].xrp
..makkonahi
..decrypt019
..[gustafkeach@johnpino.com].ad
..tanos
..gustafkeach@johnpino.ad
..bestdecoder
..Erenahen
..[a.wyper@bejants.com].xrp
..badday
..[sill@tuta.io]
..sanders4
..[kingsleygovan@krnas.com].crypt
..CILLA
..[ponce.lorena@aol.com]
..happythreechoose
..{indus37098@india.com}ZYX
..happychoose
..[taargo@olszyn.com].taargo
..[damerg@wothi.com].damerg
..ERROR
..MORT
..C4H
..xls
..crypted_monkserenen@tvstar_com
..lockis
..[Merlen@Keemail.Me]
..restore@goat.si
..Darkbit
..Globeimposter-Alpha865qqz
..[TorS@Tuta.Io]
..zuzya
..CC4H
..Dog4444
..Locked
..encrypt
..needdecrypt
..blscrypt
..Goat4444
..docx
..p1crypt
..restorefile@india.com
..exe
..KENS@TUTA.IO
..DREAM
..rose
...rtf
..A1crypt
..crypt(kippbrundell@magte.ch)
..crypt_SAN
..3ncrypt3d
..dcom
..ABDUL
..BONUM
..ocean
..crypted_yasuda@firemail_cc
..paycyka
..write_me_[btc2017@india.com]
..D2550A49BF52DFC23F2C013C5
..crypted_zerwix@airmail_cc
..stern
..crypted_uridzu@aaathats3as_com
..Globeimposter-Alpha666qqz
..bobelectron
..Dragon4444
..PPTX
..FIT
..Globeimposter-Zeta865qqz
..helpinc
Ransom Note and Payment Demands
After encrypting files, GlobeImposter displays ransom notes demanding payment for file recovery:
Help Restore.hta
Ransom message:
notes/Help Restore.hta
Note locations:
EveryFolder
recover files.hta
Ransom message:
notes/recover files.hta
Note locations:
EveryFolder
read_it.txt
Ransom message:
notes/read_it.txt
Note locations:
EveryFolder
read-me.txt
Ransom message:
notes/read-me.txt
Note locations:
EveryFolder
how_to_back_files.html
Ransom message:
notes/how_to_back_files.html
Note locations:
EveryFolder
how_to_recover_files.html
RECOVERY_DARKBIT.txt
Ransom message:
notes/RECOVERY_DARKBIT.txt
Note locations:
EveryFolder
Read___ME.html
Ransom message:
notes/Read___ME.html
Note locations:
EveryFolder
free_files!.html
Ransom message:
notes/free_files!.html
Note locations:
EveryFolder
HOW TO DECRYPT FILES.TXT
!!!README!!!
RECOVER-FILES.html
Ransom message:
notes/RECOVER-FILES.html
Note locations:
EveryFolder
MESSAGE.html
Ransom message:
notes/MESSAGE.html
Note locations:
EveryFolder
#HOW_DECRYPT_FILES#.html
Ransom message:
notes/#HOW_DECRYPT_FILES#.html
Note locations:
EveryFolder
$DECRYPT_YOUR_FILES$.html
Ransom message:
notes/$DECRYPT_YOUR_FILES$.html
Note locations:
EveryFolder
!back_files!.html
Ransom message:
notes/!back_files!.html
Note locations:
EveryFolder
here_your_files!.html
Ransom message:
notes/here_your_files!.html
Note locations:
EveryFolder
Read_Me.html
Ransom message:
notes/Read_Me.html
Note locations:
EveryFolder
!your_files!.html
Ransom message:
notes/!your_files!.html
Note locations:
EveryFolder
YOU_FILES_HERE.txt
Ransom message:
notes/YOU_FILES_HERE.txt
Note locations:
EveryFolder
!SOS!.html
Ransom message:
notes/!SOS!.html
Note locations:
EveryFolder
#DECRYPT_FILES#.html
READ_IT.html
Ransom message:
notes/READ_IT.html
Note locations:
EveryFolder
Instructions.txt
HELP.hta
Ransom message:
notes/HELP.hta
Note locations:
Roaming
#HOU_DECRYPT_ALL#.html
instruction.html
FILES ENCRYPTED.html
instructions.html
Ransom message:
notes/instructions.html
Note locations:
EveryFolder
READ_ME.txt
Ransom message:
notes/READ_ME.txt
Note locations:
EveryFolder
READ__ME.html
Ransom message:
notes/READ__ME.html
Note locations:
EveryFolder
FILES ENCRYPTED
doc.html
Как_вернуть_файлы.html
HOW_TO_BACK_FILES.html
Read_ME.html
Ransom message:
notes/Read_ME.html
Note locations:
EveryFolder
Read_For_Restore_File.html
How to restore your files.hta
HOW_TO_RECOVER_FILES.html
doc.html
$DECRYPT$.html
How_to_decrypt_files.html
Readme.html
HOW_TO_BACK_FILES.txt
Ransom message:
notes/HOW_TO_BACK_FILES.txt
Note locations:
EveryFolder
support.html
Ransom message:
notes/support.html
Note locations:
EveryFolder
Restore-My-Files.txt
Ransom message:
notes/Restore-My-Files.txt
Note locations:
EveryFolder
how_to_back_files.htm
HOW TO BACK YOUR FILES.txt
DECRYPT FILES.TXT
HOW_RECOVER.html
Ransom message:
notes/HOW_RECOVER.html
Note locations:
EveryFolder
!INSTRUCTI0NS!.TXT
Ransom message:
notes/!INSTRUCTI0NS!.TXT
Note locations:
EveryFolder
HOW TO BACK YOUR FILES.TXT
decrypt_files.html
HowToBackFiles.html
how_to_open_files.html
Ransom message:
notes/how_to_open_files.html
Note locations:
EveryFolder
read_for_restore_file.html
help you.txt
Ransom message:
notes/help you.txt
Note locations:
EveryFolder
Decryption INFO.html
Ransom message:
notes/Decryption INFO.html
Note locations:
EveryFolder
My_Files.txt
!!!HOW_TO_BACK_FILES!!!.html
Ransom message:
notes/!!!HOW_TO_BACK_FILES!!!.html
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with GlobeImposter ransomware:
cyber_chinya.exe
подтверждение.exe
gen_vk.exe
2-0.5.exe
oni.exe
oni.exe_org
9b.exe
d104.exe
kqhtzxaerb.exe
StandardSignals
Shown
spacelol.kaf_decrypted
???? - ????? ????????.scr
DOCU11072017 - ?????.scr
Июль - новый документ.scr
Копия за июль.scr
DOCU11072017 - копия.scr
file.scr
Июль - новый документ.scr
- .scr
Trojan.Ransom.GlobeImposter.exe
Purgen.exe
GlobeImposter_Gotham_Variant.exe
svchost.exe
globeimposter_gotham_variant.exe
GlobeImposter_Happ_or_Crypt_Variant.exe
PascalABCNET.exe
26591.exe
executable.exe
HPLaserJetService.exe
globe.exe
3
3.2
INV-000342.vbs
System.exe
1.dat
113810.exe
174394.exe
1.dat.exe
Modifiable Irqs
Interl thesaurus service.exe
30.exe
30.11.2017.scr
30 ???????.scr
2.exe
30 .scr
30 октября.scr
globeimposter.exe
1.exe
moi_09_11_2017.exe
chess.exe.old
chess.exe
GlobeImposter.exe
06c82e99.gxe
UYTd46732
UYTd46732.exe
06.12.17.scr
06.12.17 ?????.scr
06.12.scr
tOldHSYW
file.exe
rWRCCRTqJ2.exe
tOldHSYW.exe
a (144).exe
virus (110).exe
3c701aa9.gxe
myfile.exe
toldhsyw.exe
Nbd
22 ??????.scr~.~VIRUS~
22 ??????.scr
22 января 2018.scr
22 янв.scr
22 ???????????.scr
22 янв.xxx
22 янв.scr (3)
22 ?????? 2018.scr
22 .scr
22 ???.scr
64secondmix.exe
service_viewer.exe
IntelManagerService.exe
suspect01.exe
Resume.doc.bin
conhost.exe
cmd
Intel Core Update.exe
globeimposter
SEXY3.EXE
勒索.exe
test_v.doc
svhost.exe
font.bin
font.exe
1anami2.exe
abat.exe
cmd.exe
_ski_.exe
BulkFileChanger
BulkFileChanger.exe
43755.exe_
graf
Graf_b2.exe
velasquez.joeli.exe
TlJjg.bin
rdfg546fgh.exe
dplaysvr.exe
ChromeSetup.exe
9CXZLII4.exe
_lio_.exe
DJ0507.EXE
tanos.exe
Erenahen.exe
_gke_.exe
_ayr_.exe
d_upd1008.exe
SYSTEM.EXE
lorena.bin
HAPPYTHREE.EXE
_aro.exe
__aro.bin
lockisdog.bin
lockisdog.exe
_yosKa4_.exe
IntelTheasurusService.exe
lock.exe
HAPPYTHREE.EXE.exe
winlogon.exe
bit.exe
sb_373999_bs
8curse.exe
重要書類.exe
darkbit.exe
Tenorshare 4mekeyy.exe
wlnlogon.exe
TuRKey_RanSOmWarE.exe
System.ini.exe
TuRKey_RanSOmWarE.bin
Netflorist Coupon Generator.exe
Netflorist.exe
f0l883C310jlvRp.exe
clown.exe
ETH 200.exe
sql_service.exe
software.exe
star.exe
1[1].dat
apkcrypt.exe
zmt.exe
rooster4444.exe
xrzrgjts.exe
ADOBE ACROBAT UPDATE SERVICE.EXE
FastEncrypt.EXE
_nak_.exe
Recovery and Decryption Tools
Good news! Decryption tools are available for GlobeImposter ransomware:
0
Elastio Can Help You
Don't let GlobeImposter ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This GlobeImposter ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like GlobeImposter.
Last updated: July 30, 2025