Ransomware Research

GlobeImposter Ransomware

GlobeImposter is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on December 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Fake Globe, GlobeImposter NextGen, FakeGlobeImposter, GlobeImposterImitator.

Quick facts

Ransomware Family
GlobeImposter
First Seen
December 1, 2016
Known Aliases
Fake GlobeGlobeImposter NextGenFakeGlobeImposterGlobeImposterImitator

How GlobeImposter ransomware works

File encryption patterns

GlobeImposter modifies encrypted files using specific patterns to mark them as encrypted:

Extensions added after encryption
.hotprice8.SEXY+.crypted_nakanishi@india_com.Rooster4444.[Zfile@Tuta.Io].write_us_on_email.apk.suddentax.sea.crypt.[paradisecity@cock.li].arena.pizdec.FIX.keepcalm.FIXI.vdul.2cXpCihgsVxB3.hNcrypt.virginprotection.oni.707.s1crypt.au1crypt.GOTHAM.HAPP.{asnaeb7@india.com}.BRT92.725.skunk.mtk118.coded.astra.492.490..txt.rumblegoodboy.0402.4035.trump.{saruman7@india.com}.BRT92.lock.BUSH.f1crypt.clinTON.nopasaran.crypted_steffevendeng@post_com.911.f41o1.foste.MAKGR.pliNGY.PLIN.POHU.foster.fuck.Chartogy.crypted_urid@aaathats3as.com.CHAK.LIN...doc.decoder.crypted_yoshikada@cock_lu.<lxgiwyl@india.com>.AK47.btc.{omnoomnoomf@aol.com}BIT.TRUE.[proof3200@tutanota.com].[kps228@yandex.com].kimchenyn.SEXY.PANDA.{colin_farel@aol.com}BIT.Ipcrestore.deryptme.abc.doc.arena.wallet..doc.[jakartatv@india.com].MENTO$.gif.Nutella.{GALAXYGUARDS@PROTONMAIL.COM}IQ.blockchain.waiting4keys.crypted.SEXY3.[swon50@inbox.ru].xxxxx.SKUNK+.crypted_aoki@airmail_cc..readme.ihelperpc.emilysupp.billingsupp.Alkohol.BIG4+.ONYX.MARK.BOOTY.crypto.BUNNY.Gust.irestorei.STG.[dsupport@protonmail.com].f49idjty.siliconex.[backfiles2018@qq.com].crypt.FORESTGUST..FORESTGUST.ms.crypted_okumura@firemail_cc.{incredible0ansha@tuta.io}.ARA.crypted_iwasaki@420blaze_it.RESERVE.crypted_agreciano@india_com.[janetcurley].readme.Ox4444.crypted_bizarrio@pay4me_in.write_me[supp_24_7@outlook.com].healforyou.{Benjamin_Jack2811@aol.com}.AOL.SATANA.happycrypto.writeme.pptm.ppam.forcrypt.crypted_luedtkis@feudtory_com.ANAMI.SAMBO.ALCO.Alco4444.{mattpear@protonmail.com}MTP.san.[Coffix@Tuta.Io].{CALLMEGOAT@PROTONMAIL.COM}CMG.crypt_sherhagdomski@godzym_bid.IGAMI.ciphered.restorefiles666.cryptopay12.[velasquez.joeli@aol.com].Tiger4444.tabufa.eztop.DOCM.Pig4444.{Killback@protonmail.com}KBK.[blellockr@godzym.me].bkc.SECURE.[cartmelsutton@venom.io].crypt.z1.z1.crypt.[lindsherrod@taholo.co].btc.[frazeketcham@cnidia.com].eth.luboversova148.{dresdent@protonmail.com}DDT.shelbyboom.docx.[a.wyper@bejants.com].xrp.makkonahi.decrypt019.[gustafkeach@johnpino.com].ad.tanos.gustafkeach@johnpino.ad.bestdecoder.Erenahen.[a.wyper@bejants.com].xrp.badday.[sill@tuta.io].sanders4.[kingsleygovan@krnas.com].crypt.CILLA.[ponce.lorena@aol.com].happythreechoose.{indus37098@india.com}ZYX.happychoose.[taargo@olszyn.com].taargo.[damerg@wothi.com].damerg.ERROR.MORT.C4H.xls.crypted_monkserenen@tvstar_com.lockis.[Merlen@Keemail.Me].restore@goat.si.Darkbit.Globeimposter-Alpha865qqz.[TorS@Tuta.Io].zuzya.CC4H.Dog4444.Locked.encrypt.needdecrypt.blscrypt.Goat4444.docx.p1crypt.restorefile@india.com.exe.KENS@TUTA.IO.DREAM.rose..rtf.A1crypt.crypt(kippbrundell@magte.ch).crypt_SAN.3ncrypt3d.dcom.ABDUL.BONUM.ocean.crypted_yasuda@firemail_cc.paycyka.write_me_[btc2017@india.com].D2550A49BF52DFC23F2C013C5.crypted_zerwix@airmail_cc.stern.crypted_uridzu@aaathats3as_com.Globeimposter-Alpha666qqz.bobelectron.Dragon4444.PPTX.FIT.Globeimposter-Zeta865qqz.helpinc

Ransom note and payment demands

After encrypting files, GlobeImposter displays ransom notes demanding payment for file recovery:

fileHelp Restore.hta
notes/Help Restore.hta
Location: EveryFolder
filerecover files.hta
notes/recover files.hta
Location: EveryFolder
fileread_it.txt
notes/read_it.txt
Location: EveryFolder
fileread-me.txt
notes/read-me.txt
Location: EveryFolder
filehow_to_back_files.html
notes/how_to_back_files.html
Location: EveryFolder
filehow_to_recover_files.html
fileRECOVERY_DARKBIT.txt
notes/RECOVERY_DARKBIT.txt
Location: EveryFolder
fileRead___ME.html
notes/Read___ME.html
Location: EveryFolder
filefree_files!.html
notes/free_files!.html
Location: EveryFolder
fileHOW TO DECRYPT FILES.TXT
file!!!README!!!
fileRECOVER-FILES.html
notes/RECOVER-FILES.html
Location: EveryFolder
fileMESSAGE.html
notes/MESSAGE.html
Location: EveryFolder
file#HOW_DECRYPT_FILES#.html
notes/#HOW_DECRYPT_FILES#.html
Location: EveryFolder
file$DECRYPT_YOUR_FILES$.html
notes/$DECRYPT_YOUR_FILES$.html
Location: EveryFolder
file!back_files!.html
notes/!back_files!.html
Location: EveryFolder
filehere_your_files!.html
notes/here_your_files!.html
Location: EveryFolder
fileRead_Me.html
notes/Read_Me.html
Location: EveryFolder
file!your_files!.html
notes/!your_files!.html
Location: EveryFolder
fileYOU_FILES_HERE.txt
notes/YOU_FILES_HERE.txt
Location: EveryFolder
file!SOS!.html
notes/!SOS!.html
Location: EveryFolder
file#DECRYPT_FILES#.html
fileREAD_IT.html
notes/READ_IT.html
Location: EveryFolder
fileInstructions.txt
fileHELP.hta
notes/HELP.hta
Location: Roaming
file#HOU_DECRYPT_ALL#.html
fileinstruction.html
fileFILES ENCRYPTED.html
fileinstructions.html
notes/instructions.html
Location: EveryFolder
fileREAD_ME.txt
notes/READ_ME.txt
Location: EveryFolder
fileREAD__ME.html
notes/READ__ME.html
Location: EveryFolder
fileFILES ENCRYPTED
filedoc.html
fileКак_вернуть_файлы.html
fileHOW_TO_BACK_FILES.html
fileRead_ME.html
notes/Read_ME.html
Location: EveryFolder
fileRead_For_Restore_File.html
fileHow to restore your files.hta
fileHOW_TO_RECOVER_FILES.html
filedoc.html
file$DECRYPT$.html
fileHow_to_decrypt_files.html
fileReadme.html
fileHOW_TO_BACK_FILES.txt
notes/HOW_TO_BACK_FILES.txt
Location: EveryFolder
filesupport.html
notes/support.html
Location: EveryFolder
fileRestore-My-Files.txt
notes/Restore-My-Files.txt
Location: EveryFolder
filehow_to_back_files.htm
fileHOW TO BACK YOUR FILES.txt
fileDECRYPT FILES.TXT
fileHOW_RECOVER.html
notes/HOW_RECOVER.html
Location: EveryFolder
file!INSTRUCTI0NS!.TXT
notes/!INSTRUCTI0NS!.TXT
Location: EveryFolder
fileHOW TO BACK YOUR FILES.TXT
filedecrypt_files.html
fileHowToBackFiles.html
filehow_to_open_files.html
notes/how_to_open_files.html
Location: EveryFolder
fileread_for_restore_file.html
filehelp you.txt
notes/help you.txt
Location: EveryFolder
fileDecryption INFO.html
notes/Decryption INFO.html
Location: EveryFolder
fileMy_Files.txt
file!!!HOW_TO_BACK_FILES!!!.html
notes/!!!HOW_TO_BACK_FILES!!!.html
Location: EveryFolder

Technical indicators

Associated executable files

The following executable files are associated with GlobeImposter ransomware:

Recovery and decryption tools

Decryption tools may be available for GlobeImposter. Review the resources below:

0

About this analysis

This GlobeImposter ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery, helping organizations defend against and recover from ransomware attacks like GlobeImposter.

Last updated: December 30, 2025

Detection coverage

Elastio detects GlobeImposter inside your data and backups.

The Hunt Engine uses Deep File Inspection to identify GlobeImposter across live data, replicated data, and backups. If this family is in your environment, Elastio finds it before encryption completes. Run a scan against your recovery points to confirm.

See How the Hunt Engine WorksRequest a Demo

Recent ransomware

Explore other threats in our database

Wxlongda2025VeilCrypt2025TitanLabooboo2025SolidBit2022SnapHackLocker2024PySystemUpdate2025PySimCrypt2025Monkey2025Lol2025HWID2025
View all ransomware →