Globe Imposter 2.0 Ransomware

Posted: August 8, 2017
Threat Metric
Threat Level: 10/10
Infected PCs 11,289

Globe Imposter 2.0 Ransomware Description

The Globe Imposter 2.0 Ransomware is an update of the Globe Imposter Ransomware with changes to its ransoming message and encryption cipher. Because the Globe Imposter 2.0 Ransomware includes additional protection against public decryptors, any victims will need to recover their locked files from backups. Malware experts also encourage blocking and deleting the Globe Imposter 2.0 Ransomware preemptively with your anti-malware protection particularly, instead of paying its ransom, an act that may not give you a decryption solution.

One Trojan Takes Another Step in the Race against Cyber Security

Even as the Globe Ransomware families continues growing, imitations of it also are struggling to make money off of victims who can't tell the difference between one Trojan and cheap facsimiles of it. Unfortunately, for one copycat, the Globe Imposter 2.0 Ransomware, this superficial resemblance doesn't correspond with a weak data-encoding feature. Any files blocked by the Globe Imposter 2.0 Ransomware may be irretrievable without the user's having access to previous, unaffected copies.

Similarly to previous versions, the Globe Imposter 2.0 Ransomware is targeting victims with Russian and English as their native languages, although malware experts have yet to confirm which infection vectors the threat uses. After opening, the Globe Imposter 2.0 Ransomware scans the PC for documents, spreadsheets, pictures, and other, general formats of media to encipher with its encryption algorithm. Besides blocking these files, the attack also includes an extension-adding function that adds '.pizdec' (which translates roughly to a Russian obscenity) to the ends of their names.

Malware experts also observed some small modifications to the other component of the Globe Imposter 2.0 Ransomware's payload: its ransom note. Now, this file is an HTML, instead of HTA, although the threat actors still ask for the same kind of Bitcoin-based payment for helping you unlock your files. Since the Globe Imposter 2.0 Ransomware's ransoms are converting to equivalents of over thirty thousand USD currently, malware experts presume that the Trojan's campaign is attacking the private servers of unprotected businesses, and similar entities, with the capacity to pay significant amounts of money.

Beating an Imposter to the Punch (and Your Files)

Updates to file-locking Trojans that seem to change very little about them, in reality, often hold 'surprises' for their victims and their data. Malware researchers have been able to verify that the Globe Imposter 2.0 Ransomware includes additional anti-decryption features that make it more difficult to decode any media that the Trojan blocks than previously. Therefore, protection for your files requires preventative security steps, such as backing up the contents of your drive to another PC or peripheral devices that the Trojan can't access.

Expected infection methods for the Globe Imposter 2.0 Ransomware's campaign include spam e-mails that uses targeted, forged content of interest to the reader (such as a fake invoice or delivery alert), corrupted Web content that can instigate drive-by-downloads, and brute-force compromises of a server's login credentials. Careful management of your passwords, disabling scripts, and scanning downloads with anti-malware programs can reduce your potential contact points with such vulnerabilities or remove the Globe Imposter 2.0 Ransomware preemptively.

The Globe Imposter 2.0 Ransomware isn't a real version of the Globe Ransomware, but to someone struggling to recover their encrypted files, the difference may be a trivial one. Like the old Trojan that its ransom note mimics, the Globe Imposter 2.0 Ransomware uses relatively straightforward enciphering technology to hold digital content hostage for as long as its threat actor desires.

Update November 30th, 2018 — The 'bizarrio@pay4me.in' Ransomware

The 'bizarrio@pay4me.in' Ransomware is a member of the Globe Imposter 2.0 Ransomware family and, unfortunately, this means that a free decryptor is not available. If you believe that you are one of the 'bizarrio@pay4me.in' Ransomware’s victims, then we advise you to stay calm and not take any rash decisions, since this might not end well for your wallet and your files.

The 'bizarrio@pay4me.in' Ransomware works by encrypting the files on the victim’s computer and then offers to provide them with a decryptor, which can be obtained in exchange for a ransom payment. Although this solution might sound attractive despite the high price, you should think twice whether it is worth it to trust the anonymous crooks behind this project. Many ransomware victims have been tricked out of their money in the past, and the authors of the 'bizarrio@pay4me.in' Ransomware do not offer reliable proof that they will not do the same if you pay them.

All files locked by the 'bizarrio@pay4me.in' Ransomware will have the ‘.crypted_bizarrio@pay4me_in’ extension added to their names. In addition to this, the victims also will find a short ransom note, which tells them to contact either bizarrio@venom.io or bizarrio@pay4me.in for further instructions and information. We assure you that messaging the operators of the 'bizarrio@pay4me.in' Ransomware is a bad idea because they are unlikely to help you out for free.

The correct way to deal with the consequences of a ransomware attack is to remove the threatening program with the use of a trustworthy anti-virus tool immediately. When this task is complete, you should try to restore the original versions of your encrypted files by using a popular data recovery utility.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Globe Imposter 2.0 Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SYSTEMDRIVE%\Users\Globo\AppData\Local\575A.tmp.exe\575A.tmp.exe File name: 575A.tmp.exe
Size: 431.61 KB (431616 bytes)
MD5: 86a8e2327f003d25a2abef413473218b
Detection count: 1,387
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\Globo\AppData\Local\575A.tmp.exe\
Group: Malware file
Last Updated: June 26, 2020
%WINDIR%\System32\btc2017-india_2017-08-17_11-05.exe File name: btc2017-india_2017-08-17_11-05.exe
Size: 245.24 KB (245248 bytes)
MD5: b4ed40a147d3e280e85b4f40d64a93b4
Detection count: 227
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32\
Group: Malware file
Last Updated: August 25, 2017
%SYSTEMDRIVE%\Users\usuario\AppData\Local\AU3_EXE.exe\AU3_EXE.exe File name: AU3_EXE.exe
Size: 175.61 KB (175616 bytes)
MD5: d78a1829b5c9db3ef2fe01d43cdd91b6
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\usuario\AppData\Local\AU3_EXE.exe\
Group: Malware file
Last Updated: June 26, 2020
7afd55f0c98f65d41f836613d825a895 File name: 7afd55f0c98f65d41f836613d825a895
Size: 200.19 KB (200192 bytes)
MD5: 7afd55f0c98f65d41f836613d825a895
Detection count: 41
Group: Malware file
Last Updated: January 7, 2019
file.exe File name: file.exe
Size: 273.92 KB (273920 bytes)
MD5: bfc214a781108b92d143b896b56b202b
Detection count: 34
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 8, 2017
IGAMI.exe File name: IGAMI.exe
Size: 424.88 KB (424888 bytes)
MD5: b02dbce0663e5a22bdbe5241110a7a80
Detection count: 31
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0c9194550fe425b6e2d9d87371aff4a3114b849ccca60b220fdd37e5d2b5be8d.exe File name: 0c9194550fe425b6e2d9d87371aff4a3114b849ccca60b220fdd37e5d2b5be8d.exe
Size: 413.69 KB (413696 bytes)
MD5: 70f5ed63c92fea27f8f8e5c2413bf323
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Group: Malware file
Last Updated: February 9, 2018

More files

Registry Modifications


The following newly produced Registry Values are:

Registry keySoftware\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheckSoftware\Microsoft\Windows\CurrentVersion\RunOnce\CertificatesCheck
Home Malware Programs Ransomware Globe Imposter 2.0 Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.