GlobeImposter Ransomware

Also Known As: GlobeImposter virus
Distribution: Moderate
Damage level: Severe

GlobeImposter ransomware removal instructions

What is GlobeImposter?

GlobeImposter is a ransomware-type virus that mimics Purge (Globe) ransomware. Following infiltration, GlobeImposter encrypts various files and appends: ".[Traher@Dr.Com]", ".Nutella", ".encencenc", ".DIZEL", ".Codificado", ".Ipcrestore", ".PANDA", ".BIG1", ".SEXY", ".kimchenyn", ".AK47", ".rrr", "...doc", ".restorefile", “.CHAK”, “.LIN”, “.Chartogy”, ".POHU", ".crypt_fereangos@airmail_cc", ".{jeepdayz@aol.com}BIT", ".TRUE", ".VYA", ".pliNGY", ".ñ1crypt", ".foSTE", “.YAYA”, “.nWcrypt”, ".needkeys", ".490", ".4035", ".f41o1", ".911", ".clinTON", "..txt", ".BUSH", ".illNEST", ".write_on_email", ".needdecrypt", ".ReaGAN", ".zuzya", ".granny" ".zuzya", ".UNLIS", ".LEGO", ".NIGGA", ".0402", ".trump", ".BONUM", ".rumblegoodboy", "..txt", ".ACTUM", “.492”, “.astra”, “.coded”, ".mtk118", ".cryptch", ".PLIN", ".sea", ".help", "..726", ".RECT", ".ocean", ".rose", ".GLAD", ".725", ".[tramkal@protonmail.ch]cryptall", ".write_me_[btc2017@india.com]", ".BRT92", "p1crypt", ".MAKB", ".skunk", ".au1crypt", ".GOTHAM", ".s1crypt", ".GORO", ".707", ".3ncrypt3d", .626, .blcrypt, .blscrypt, .nopasaran, ".xyrpottim228@ya.ru", ".VAPE", ".crypt", ".pscrypt", ".oni", ".pizdosik", ".[File-Help1@Ya.Ru]",".[aezakmi@india.com]", ".GRAF", ".fix", ".virginprotection", ".WRITE_US", ".MIXI", ".HAPP", ".troy", ".write_us_on_email", ".PRIAPOS", ".515", ".nCrypt", ".hNcrypt", ".medal", ".paycyka", ".2cXpCihgsVxB3", ".vdul", ".keepcalm", ".legally", ".crypt", ".wallet" or ".pizdec" extension to the name of each encrypted file. For example, "sample.jpg" is renamed to "sample.jpg.crypt". Following successful encryption, GlobeImposter creates an HTA file ("HOW_OPEN_FILES.hta"), placing it in each folder containing encrypted files. Some newer variants of this ransomware store their ransom demanding message in how_to_back_files.html, READ_this_FILE.html, Read_ME.html, !SOS!.html, here_your_files!.html, !back_files!.html, #DECRYPT_FILES#.html, READ_IT.html or !your_files!.html files. In addition, GlobeImposter opens a pop-up window.

The HTA file contain ransom-demand messages. The messages are short as compared with other ransomware-type viruses and simply state that files are encrypted and that a ransom of 1 Bitcoin (~$925) must be paid to restore them. Other ransomware provides detailed information such as type of encryption algorithm (symmetric/asymmetric) used, payment time frame, decryption instructions, etc. Therefore, it is currently unknown what type of cryptography GlobeImposter uses. In any case, decryption without a unique key is impossible. Cyber criminals store this key on a remote server and victims are encouraged to pay for it. Despite these demands, you should never trust these people. Research shows that cyber criminals often ignore victims, despite submitted payments. Paying does not guarantee that your files will ever be decrypted. You are strongly advised to ignore all requests to pay or contact these people. In doing so, you will support their malicious businesses. Fortunately, Emsisoft has developed a tool capable of decrypting files compromised by GlobeImposter (download link below) and there is no need to pay any ransom. If, however, your computer has been infected with undecryptable ransomware, the problem can only be resolved by restoring your files/system from a backup.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

GlobeImposter decrypt instructions

There are dozens of ransomware-type viruses similar to GlobeImposter including Satan, Cerber, and HakunaMatata - these are just some examples from many. All have identical behavior - they encrypt files and make ransom demands. There are just two major differences between them: 1) type of cryptography used, and; 2) size of ransom. Distribution methods are also identical. Criminals proliferate ransomware-type malware using spam emails (malicious attachments), peer-to-peer (P2P) networks (torrents, eMule, etc.), third party software download sources (free file hosting and freeware download websites, etc.), fake software updaters, and trojans. Therefore, be very cautious when opening files received from suspicious/unrecognizable emails and when downloading software from unofficial sources.

Keeping your installed applications up-to-date and using a legitimate anti-virus/anti-spyware suite is also essential. Note, however, that cyber criminals often use third party update tools to exploit software bugs/flaws to infecting system. Therefore, update your applications only using official updaters. The key to computer safety is caution.

Ransom-demand message:

Your files are encrypted!
All your important data has been encrypted.
To recover data you need decryptor.
To get the decryptor you should:
pay for decrypt:
site for buy bitcoin:
Buy 1 BTC on one of theses site:
1. localbitcoins.com
2. coinbase.com
3. xchange.cc


Bitcoin address to pay: 16G8L4oJs87e7kACZ6W4PNZLsXAkxxXsuWe
Send 1 BTC for decrypt. After the payment: Send screenshot of payment to sendmebtc@india.com, byd@india.com. In the letter include your personal ID (look at the beginning of this document). After you will receive a decryptor and instructions. Attention! No Payment = No decryption. You really get the decryptor after payment. Do not attempt to remove the program or run the anti-virus tools. Attempts to self-decrypting files will result in the loss of your data. Decoders other users are not compatible with your data, because each user’s unique encryption key.

A variant of this ransomware using .707 extension for encrypted files:

globeimposter ransomware variant .707 extension for encrypted files

The appearance of Globeimposter ransomware Tor website:

globeimposter ransomware tor website appearance

A variant of Globeimposter ransomware using .troy extension for encrypted files:

globeimposter ransomware .troy variant

A variant of this ransomware that uses .pscrypt extension for encrypted files:

globeimposter ransomware .pscrypt variant

Globeimposter ransomware variant using “chines34@protonmai.ch” email address and “.crypt” extension for encrypted files:

globeimposter ransomware chines34 variant

A variant of this ransomware using .hNcrypt extension for encrypted files:

globeimposter ransomware .hNcrypt variant

A variant of Globeimposter (keepcalmpls@india.com email address):

globeimposter ransomware .keepcalm variant

A variant of GlobeImposter (garryweber@protonmail.ch email address):

GlobeImposter Garry Weber

Screenshot of GlobeImposter German version (decryptmyfiles@inbox.ru email address):

GlobeImposter German version

A variant of this ransomware that uses mk.priapos@bigmir.net email address and .PRIAPOS extension for encrypted files:

globeimposter ransomware .PRIAPOS variant

Screenshot of files encrypted by GlobeImposter (".crypt" extension):

GlobeImposter decrypt instructions

Screenshot of files encrypted by Globeimposter ransomware (“.txt” extension):

globeimposter ransomware .txt extension

GlobeImposter decrypter (download link):

GlobeImposter decrypter

GlobeImposter's decrypter instructions.

GlobeImposter ransomware removal:

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the GlobeImposter virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.


Download remover for GlobeImposter virus
1) Download and install   2) Run system scan   3) Enjoy your clean computer!

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Reimage.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the GlobeImposter ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining GlobeImposter ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of GlobeImposter are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by GlobeImposter, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as GlobeImposter ransomware.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove GlobeImposter ransomware: