Ransomware Research
GlobeImposter Ransomware
GlobeImposter is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on December 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Fake Globe, GlobeImposter NextGen, FakeGlobeImposter, GlobeImposterImitator.
Quick Facts
- Ransomware Family
- GlobeImposter
- First Seen
- December 1, 2016
- Known Aliases
- Fake GlobeGlobeImposter NextGenFakeGlobeImposterGlobeImposterImitator
How GlobeImposter Ransomware Works
File Encryption Patterns
GlobeImposter modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..hotprice8..SEXY+..crypted_nakanishi@india_com..Rooster4444..[Zfile@Tuta.Io]..write_us_on_email..apk..suddentax..sea..crypt..[paradisecity@cock.li].arena..pizdec..FIX..keepcalm..FIXI..vdul..2cXpCihgsVxB3..hNcrypt..virginprotection..oni..707..s1crypt..au1crypt..GOTHAM..HAPP..{asnaeb7@india.com}.BRT92..725..skunk..mtk118..coded..astra..492..490...txt..rumblegoodboy..0402..4035..trump..{saruman7@india.com}.BRT92..lock..BUSH..f1crypt..clinTON..nopasaran..crypted_steffevendeng@post_com..911..f41o1..foste..MAKGR..pliNGY..PLIN..POHU..foster..fuck..Chartogy..crypted_urid@aaathats3as.com..CHAK..LIN....doc..decoder..crypted_yoshikada@cock_lu..<lxgiwyl@india.com>.AK47..btc..{omnoomnoomf@aol.com}BIT..TRUE..[proof3200@tutanota.com]..[kps228@yandex.com]..kimchenyn..SEXY..PANDA..{colin_farel@aol.com}BIT..Ipcrestore..deryptme..abc..doc..arena..wallet...doc..[jakartatv@india.com]..MENTO$..gif..Nutella..{GALAXYGUARDS@PROTONMAIL.COM}IQ..blockchain..waiting4keys..crypted..SEXY3..[swon50@inbox.ru]..xxxxx..SKUNK+..crypted_aoki@airmail_cc...readme..ihelperpc..emilysupp..billingsupp..Alkohol..BIG4+..ONYX..MARK..BOOTY..crypto..BUNNY..Gust..irestorei..STG..[dsupport@protonmail.com]..f49idjty..siliconex..[backfiles2018@qq.com].crypt..FORESTGUST...FORESTGUST..ms..crypted_okumura@firemail_cc..{incredible0ansha@tuta.io}.ARA..crypted_iwasaki@420blaze_it..RESERVE..crypted_agreciano@india_com..[janetcurley]..readme..Ox4444..crypted_bizarrio@pay4me_in..write_me[supp_24_7@outlook.com]..healforyou..{Benjamin_Jack2811@aol.com}.AOL..SATANA..happycrypto..writeme..pptm..ppam..forcrypt..crypted_luedtkis@feudtory_com..ANAMI..SAMBO..ALCO..Alco4444..{mattpear@protonmail.com}MTP..san..[Coffix@Tuta.Io]..{CALLMEGOAT@PROTONMAIL.COM}CMG..crypt_sherhagdomski@godzym_bid..IGAMI..ciphered..restorefiles666..cryptopay12..[velasquez.joeli@aol.com]..Tiger4444..tabufa..eztop..DOCM..Pig4444..{Killback@protonmail.com}KBK..[blellockr@godzym.me].bkc..SECURE..[cartmelsutton@venom.io].crypt..z1..z1.crypt..[lindsherrod@taholo.co].btc..[frazeketcham@cnidia.com].eth..luboversova148..{dresdent@protonmail.com}DDT..shelbyboom..docx.[a.wyper@bejants.com].xrp..makkonahi..decrypt019..[gustafkeach@johnpino.com].ad..tanos..gustafkeach@johnpino.ad..bestdecoder..Erenahen..[a.wyper@bejants.com].xrp..badday..[sill@tuta.io]..sanders4..[kingsleygovan@krnas.com].crypt..CILLA..[ponce.lorena@aol.com]..happythreechoose..{indus37098@india.com}ZYX..happychoose..[taargo@olszyn.com].taargo..[damerg@wothi.com].damerg..ERROR..MORT..C4H..xls..crypted_monkserenen@tvstar_com..lockis..[Merlen@Keemail.Me]..restore@goat.si..Darkbit..Globeimposter-Alpha865qqz..[TorS@Tuta.Io]..zuzya..CC4H..Dog4444..Locked..encrypt..needdecrypt..blscrypt..Goat4444..docx..p1crypt..restorefile@india.com..exe..KENS@TUTA.IO..DREAM..rose...rtf..A1crypt..crypt(kippbrundell@magte.ch)..crypt_SAN..3ncrypt3d..dcom..ABDUL..BONUM..ocean..crypted_yasuda@firemail_cc..paycyka..write_me_[btc2017@india.com]..D2550A49BF52DFC23F2C013C5..crypted_zerwix@airmail_cc..stern..crypted_uridzu@aaathats3as_com..Globeimposter-Alpha666qqz..bobelectron..Dragon4444..PPTX..FIT..Globeimposter-Zeta865qqz..helpincRansom Note and Payment Demands
After encrypting files, GlobeImposter displays ransom notes demanding payment for file recovery:
Help Restore.htaRansom message:
notes/Help Restore.hta
Note locations:
EveryFolderrecover files.htaRansom message:
notes/recover files.hta
Note locations:
EveryFolderread_it.txtRansom message:
notes/read_it.txt
Note locations:
EveryFolderread-me.txtRansom message:
notes/read-me.txt
Note locations:
EveryFolderhow_to_back_files.htmlRansom message:
notes/how_to_back_files.html
Note locations:
EveryFolderhow_to_recover_files.htmlRECOVERY_DARKBIT.txtRansom message:
notes/RECOVERY_DARKBIT.txt
Note locations:
EveryFolderRead___ME.htmlRansom message:
notes/Read___ME.html
Note locations:
EveryFolderfree_files!.htmlRansom message:
notes/free_files!.html
Note locations:
EveryFolderHOW TO DECRYPT FILES.TXT!!!README!!!RECOVER-FILES.htmlRansom message:
notes/RECOVER-FILES.html
Note locations:
EveryFolderMESSAGE.htmlRansom message:
notes/MESSAGE.html
Note locations:
EveryFolder#HOW_DECRYPT_FILES#.htmlRansom message:
notes/#HOW_DECRYPT_FILES#.html
Note locations:
EveryFolder$DECRYPT_YOUR_FILES$.htmlRansom message:
notes/$DECRYPT_YOUR_FILES$.html
Note locations:
EveryFolder!back_files!.htmlRansom message:
notes/!back_files!.html
Note locations:
EveryFolderhere_your_files!.htmlRansom message:
notes/here_your_files!.html
Note locations:
EveryFolderRead_Me.htmlRansom message:
notes/Read_Me.html
Note locations:
EveryFolder!your_files!.htmlRansom message:
notes/!your_files!.html
Note locations:
EveryFolderYOU_FILES_HERE.txtRansom message:
notes/YOU_FILES_HERE.txt
Note locations:
EveryFolder!SOS!.htmlRansom message:
notes/!SOS!.html
Note locations:
EveryFolder#DECRYPT_FILES#.htmlREAD_IT.htmlRansom message:
notes/READ_IT.html
Note locations:
EveryFolderInstructions.txtHELP.htaRansom message:
notes/HELP.hta
Note locations:
Roaming#HOU_DECRYPT_ALL#.htmlinstruction.htmlFILES ENCRYPTED.htmlinstructions.htmlRansom message:
notes/instructions.html
Note locations:
EveryFolderREAD_ME.txtRansom message:
notes/READ_ME.txt
Note locations:
EveryFolderREAD__ME.htmlRansom message:
notes/READ__ME.html
Note locations:
EveryFolderFILES ENCRYPTEDdoc.htmlКак_вернуть_файлы.htmlHOW_TO_BACK_FILES.htmlRead_ME.htmlRansom message:
notes/Read_ME.html
Note locations:
EveryFolderRead_For_Restore_File.htmlHow to restore your files.htaHOW_TO_RECOVER_FILES.htmldoc.html$DECRYPT$.htmlHow_to_decrypt_files.htmlReadme.htmlHOW_TO_BACK_FILES.txtRansom message:
notes/HOW_TO_BACK_FILES.txt
Note locations:
EveryFoldersupport.htmlRansom message:
notes/support.html
Note locations:
EveryFolderRestore-My-Files.txtRansom message:
notes/Restore-My-Files.txt
Note locations:
EveryFolderhow_to_back_files.htmHOW TO BACK YOUR FILES.txtDECRYPT FILES.TXTHOW_RECOVER.htmlRansom message:
notes/HOW_RECOVER.html
Note locations:
EveryFolder!INSTRUCTI0NS!.TXTRansom message:
notes/!INSTRUCTI0NS!.TXT
Note locations:
EveryFolderHOW TO BACK YOUR FILES.TXTdecrypt_files.htmlHowToBackFiles.htmlhow_to_open_files.htmlRansom message:
notes/how_to_open_files.html
Note locations:
EveryFolderread_for_restore_file.htmlhelp you.txtRansom message:
notes/help you.txt
Note locations:
EveryFolderDecryption INFO.htmlRansom message:
notes/Decryption INFO.html
Note locations:
EveryFolderMy_Files.txt!!!HOW_TO_BACK_FILES!!!.htmlRansom message:
notes/!!!HOW_TO_BACK_FILES!!!.html
Note locations:
EveryFolderTechnical Indicators
Associated Executable Files
The following executable files are associated with GlobeImposter ransomware:
cyber_chinya.exeподтверждение.exegen_vk.exe2-0.5.exeoni.exeoni.exe_org9b.exed104.exekqhtzxaerb.exeStandardSignalsShownspacelol.kaf_decrypted???? - ????? ????????.scrDOCU11072017 - ?????.scrИюль - новый документ.scrКопия за июль.scrDOCU11072017 - копия.scrfile.scrИюль - новый документ.scr- .scrTrojan.Ransom.GlobeImposter.exePurgen.exeGlobeImposter_Gotham_Variant.exesvchost.exeglobeimposter_gotham_variant.exeGlobeImposter_Happ_or_Crypt_Variant.exePascalABCNET.exe26591.exeexecutable.exeHPLaserJetService.exeglobe.exe33.2INV-000342.vbsSystem.exe1.dat113810.exe174394.exe1.dat.exeModifiable IrqsInterl thesaurus service.exe30.exe30.11.2017.scr30 ???????.scr2.exe30 .scr30 октября.scrglobeimposter.exe1.exemoi_09_11_2017.exechess.exe.oldchess.exeGlobeImposter.exe06c82e99.gxeUYTd46732UYTd46732.exe06.12.17.scr06.12.17 ?????.scr06.12.scrtOldHSYWfile.exerWRCCRTqJ2.exetOldHSYW.exea (144).exevirus (110).exe3c701aa9.gxemyfile.exetoldhsyw.exeNbd22 ??????.scr~.~VIRUS~22 ??????.scr22 января 2018.scr22 янв.scr22 ???????????.scr22 янв.xxx22 янв.scr (3)22 ?????? 2018.scr22 .scr22 ???.scr64secondmix.exeservice_viewer.exeIntelManagerService.exesuspect01.exeResume.doc.binconhost.execmdIntel Core Update.exeglobeimposterSEXY3.EXE勒索.exetest_v.docsvhost.exefont.binfont.exe1anami2.exeabat.execmd.exe_ski_.exeBulkFileChangerBulkFileChanger.exe43755.exe_grafGraf_b2.exevelasquez.joeli.exeTlJjg.binrdfg546fgh.exedplaysvr.exeChromeSetup.exe9CXZLII4.exe_lio_.exeDJ0507.EXEtanos.exeErenahen.exe_gke_.exe_ayr_.exed_upd1008.exeSYSTEM.EXElorena.binHAPPYTHREE.EXE_aro.exe__aro.binlockisdog.binlockisdog.exe_yosKa4_.exeIntelTheasurusService.exelock.exeHAPPYTHREE.EXE.exewinlogon.exebit.exesb_373999_bs8curse.exe重要書類.exedarkbit.exeTenorshare 4mekeyy.exewlnlogon.exeTuRKey_RanSOmWarE.exeSystem.ini.exeTuRKey_RanSOmWarE.binNetflorist Coupon Generator.exeNetflorist.exef0l883C310jlvRp.execlown.exeETH 200.exesql_service.exesoftware.exestar.exe1[1].datapkcrypt.exezmt.exerooster4444.exexrzrgjts.exeADOBE ACROBAT UPDATE SERVICE.EXEFastEncrypt.EXE_nak_.exe
Recovery and Decryption Tools
Good news! Decryption tools are available for GlobeImposter ransomware:
0
Elastio Can Help You
Don't let GlobeImposter ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This GlobeImposter ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like GlobeImposter.
Last updated: October 30, 2025
Recent Ransomware
Explore other threats in our database