What is GlobeImposter 2.0 Ransomware
GlobeImposter 2.0 Ransomware is the second generation of file-encrypting ransomware virus GlobeImposter. The name “GlobeImposter” was originally given to it by crypto-ransomware identification service called “ID-Ransomware”, because of the assignment by the extortioners of the “proprietary” ransom note from the Globe Ransomware family. The purpose was to frighten the victims, to confuse the researchers, to discredit the decryption programs released for the Globe-family. Thus, all Globe-imitators, which are not decrypted by the decryption utilities released for Globe 1-2-3, received the conditional name GlobeImposter, and after that – GlobeImposter 2.0. Virus can be detected by various antivirus programs as Trojan.Encoder.7325, Trojan.Encoder.10737, Trojan.Encoder.11539, Ransom_FAKEPURGE.A or Ransom.GlobeImposter. Until today different versions of GlobeImposter 2.0 used all sorts of file extensions. Here is list of extensions used in 2018 only (beginning from the latest discovered):
After finishing encryption process, GlobeImposter 2.0 Ransomware can create text files with following names: how_to_back_files.html, Readme.html, $DECRYPT$.html, doc.html, HOW_TO_RECOVER_FILES.html, READ_IT.html, How to restore your files.hta, Read_For_Restore_File.html, READ_ME.txt, How_to_decrypt_files.html, Restore-My-Files.txt etc. Example of the ransom note message:
YOUR PERSONAL ID
***
ENGLISH
☠YOUR FILES ARE ENCRYPTED! â˜
ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED.
To recover data you need decryptor.
To get the decryptor you should:
SAVE THE ID BEFORE DOING ANYTHING ON THE COMPUTER!!!
BE SURE TO SAVE THIS ID, WITHOUT IT DECRYPTION IS IMPOSSIBLE!!!
Send 3 test image or text file incredible0ansha@tuta.io or incredible0ansha@cock.lu.
In the letter include your personal ID (look at the beginning of this document).
We will give you the decrypted file and assign the price for decryption all files
After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.
Attention!
Only incredible0ansha@tuta.io or incredible0ansha@cock.lu can decrypt your files
Do not trust anyone incredible0ansha@tuta.io or incredible0ansha@cock.lu
Do not attempt to remove the program or run the anti-virus tools
Attempts to self-decrypting files will result in the loss of your data
Decoders other users are not compatible with your data, because each user's unique encryption key
Virus places this files in every folder with affected files. This text file contains instruction to pay the ransom, where malefactors encourage users to contact them via e-mails: assistance@airmail.cc, aid1@cock.li, sambuka_star@aol.com and many others. Ransom amount is between $50 and $10000 and must be paid in Bitcoins. Latest discovered version (.pptm) extorts 0.19 BitCoins and doubles the amount if it is not paid in 48 hours. GlobeImposter 2.0 Ransomware is not decryptable at the moment, and only way to return your files is from the backups. Please, do not pay the hackers as there no guarantee, that they will send you decryption key. Besides, some users, who paid the ransom, state, that after “decryptor” malefactors send many files come out corrupted. Possibly, some files can be restored using file-recovery software. Please, note, that from time to time antivirus companies and individual security researchers and enthusiasts release full working or partially working decryptors for various kinds of ransomware. If you are not able to recover your files at the moment, keep them and wait for decryptor. Use this tutorial to remove GlobeImposter 2.0 Ransomware and decrypt .eztop, .tabufa, or .forcrypt files in Windows 10, Windows 8, Windows 7.
How GlobeImposter 2.0 Ransomware infected your PC
GlobeImposter 2.0 Ransomware virus developers still use spam e-mails with malicious attachments for distribution. Usually, attachments are DOC or XLS documents. Such documents contain built-in macros, that runs in the background when user opens the document. This macros downloads and runs main executable with random name. Since that moment GlobeImposter starts encryption process. Antivirus may not catch this threat and we recommend you to use HitmanPro with Cryptoguard. This program can detect encryption process and stop it to prevent the loss of your files.
Download Removal Tool
To remove GlobeImposter 2.0 Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of GlobeImposter 2.0 Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove GlobeImposter 2.0 Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of GlobeImposter 2.0 Ransomware and prevents future infections by similar viruses.
How to remove GlobeImposter 2.0 Ransomware manually
It is not recommended to remove GlobeImposter 2.0 Ransomware manually, for safer solution use Removal Tools instead.
GlobeImposter 2.0 Ransomware files:
{randomname}.exe
{randomname}.bat
GlobeImposter 2.0 Ransomware reg keys:
no information
How to decrypt and restore .eztop, .tabufa, or .forcrypt files
Decryption tool #1
Use following tool from EmsiSoft called GlobeImposter Decryptor, that can decrypt .eztop, .tabufa, or .forcrypt files. Download it here:
Decryption tool #2
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .eztop, .tabufa, or .forcrypt files. Download it here:
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with GlobeImposter 2.0 Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. However, there is currently no automatic decryption tool for files encrypted by GlobeImposter. To attempt to remove them you can do the following:
Use Stellar Data Recovery Professional to restore .eztop, .tabufa, or .forcrypt files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses like GlobeImposter 2.0 Ransomware in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.