Globeimposter 2.0 Ransomware

Globeimposter 2.0 Ransomware is a severe threat to your important files as it can encrypt them and extort a lot of money from you for releasing them. As its name suggests, this malicious program is indeed the second version of Globeimposter Ransomware that was actually based on Globe Ransomware. Although the first version was soon hacked by malware specialists and a free decryption tool was published, this new variant seems to be quite devastating still. In fact, we have found that there could be a couple of versions on the web already with different extensions added and different ransom notes asking for insane amount of ransom fees in certain cases. All in all, if you are infected with this beast, it is possible that you will never see or use your precious files again unless, of course, you have a backup on a removable drive or in cloud storage. We highly recommend that you remove Globeimposter 2.0 Ransomware immediately after you notice its work on your PC.

The main method of distribution seems to be spamming campaigns, which is a method preferred by many cyber crooks as they can reach a great number of potential victims in no time really. Such a spam mail can appear to be totally normal and authentic; in fact, it may make you feel and believe that you are dealing with an important mail that you need to open ASAP and also check out its attachment. As a matter of fact, this attached file is the malicious executable that may pose as an image or text document. Once you run this file to view its supposed content, you would simply start up this malicious attack and your files will be encrypted before you could delete Globeimposter 2.0 Ransomware without the risk of losing them all. This is why you need to be much more careful when deciding to open a mail or an attachment, or not. Whenever in doubt, we suggest that you reply the e-mail and figure out whether it was really meant for you personally.

Another ways to infect your computer with such a dangerous threat include Exploit Kits and malicious software bundles. It is possible that you end up on a malicious webpage that was created by using Exploit Kits after you click on unsafe third-party ads. You could be exposed to such advertisements when you are visiting suspicious websites (torrent, shareware, gambling, and gaming pages) or when your PC is infected with adware programs or browser hijackers. Sometimes even potentially unwanted programs can display unreliable ads or redirect you to questionable websites. All in all, you need to be very careful where you click if your computer is not protected by automated security software. What you can also do and should do is keep your browsers and drivers (Java and Adobe Flash) always up-to-date because that is the only way to avoid an attack by Exploit Kits. It is also important to mention that you do not even need to engage with any content on a malicious page that is built with such a kit because the drop of the infection is triggered the moment the page is loaded in your browser. Remember that removing Globeimposter 2.0 Ransomware does not recover your files, which means that you may lose all encrypted files if you do not have a backup.

This dangerous ransomware is known to apply the AES algorithm to encrypt your files. It targets over 30 file types, so you could lose all your photos, documents, and archives in no time really. As we have already said there seem to be different versions of this threat and these may use different extensions to add to your encrypted files, including .725, .bad, .rose, .skunk, and .pizdec. We have found that the ransom fee as well as the ransom notes can also be different. So you may find "how_to_open_files.html" or "RECOVER-FILES.html" on your computer. This malware infection also makes changes to your Windows Registry by removing entries from the Remote Desktop Connection: “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” and “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers.”

This ransomware can connect to one of many Command and Control (C&C) servers, including 121-psychic-reading.co.uk/rf734rgf, 1888titlework.com/rf734rgf, and 2010.sggt-wh.de/rf734rgf. As per the ransom note, you can send one file as proof that these crooks can decrypt your files. Depending on the version that has attacked you, you may be asked to transfer 0.3 BTC (around 1,300 USD) to the given Bitcoin address. If you fail to transfer within 2 days, the amount soars up to 0.6 BTC (around 2,600 USD). The other version may demand as high as 10 BTC for the decryption key, which is an insane 43,400 USD, so it is most likely that this version is targeting corporations since no private user would possibly have that kind of money to pay. In any case, we do not advise you to pay or contact these criminals because it rarely ends well for victims of ransomware. We recommend that you remove Globeimposter 2.0 Ransomware as soon as possible.

If you want to take matters into your own hands, you can use our guide below this report. As you can see now, it is quite easy to get infected with even such a dangerous malware program. You can try to be more cautious while surfing the web or checking your mails but real peace of mind comes when you actually install a proper malware removal tool, such as SpyHunter. But even if you protect your PC with such automated security software, we advise you to always keep all your programs and drivers updated for best protection possible.

How to remove Globeimposter 2.0 Ransomware from Windows

1. Press Win+E.
2. Locate and delete all malicious files you have downloaded recently.
3. Delete “%PUBLIC%\{random name}.exe” that may have a name like “72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe”
4. Empty your Recycle Bin.
5. Press Win+R and type regedit. Click OK.
6. Delete “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck” registry value name where the value data is “C:\Users\Public\72ddceebe717992c1486a2d5a5e9e20ad331a98a146d2976c943c983e088f66b.exe” (it can be a random-name .exe)
7. Close the editor.
8. Restart your computer.