Globe targets Windows OS and its method of distribution is currently unknown. Once installed, Globe employs its anti-forensic capabilities as it determines whether or not it is running within a sandbox or a virtual machine (VM) such as Anubis, VirtualBox, VMware, or Virtual PC. If any of these are present, Globe will terminate itself. If none are detected, Globe begins the encryption process using the Blowfish encryption algorithm, targeting 995 file extensions and appending .globe or .purge to the name of every file it encrypts. It then creates an autorun.inf file which displays a ransom note using an HTML Application file named How to restore files.hta which opens when the victim logs into Windows. Globe deletes Shadow Volume Copies to prevent file restoration and disables Windows Startup Repair. Lastly, Globe will change the victim’s desktop wallpaper to display an image featuring characters from the movie, The Purge: Election Year.
UPDATE 10/6/2016: A number of new versions of Globe were seen in the wild and append the following extensions to encrypted files: .blt, [random].encrypted, .[random].raid10, .[firstname.lastname@example.org], and .[random].globe.
UDATE 11/7/2016: New versions of Globe were spotted appending .zendr2, .blackblock, .email@example.com, .GSupport3, and .firstname.lastname@example.org to encrypted files.
UPDATE 11/14/2016: New versions of Globe append .zendrz, .zendr4, .MK, .x3m, .UCRYPT, and .ACRYPT to encrypted files.
UPDATE 11/24/2016: New versions of Globe append .SGood, .email@example.com, and .firstname.lastname@example.org to encrypted files.
UPDATE 12/6/2016: New versions append .trust, .nazarbayev, decryptallfiles[@]india.com, .lovewindows and bahij2[@]india.com to encrypted file names.
UPDATE 12/16/2016: New versions append .ink, .ziptox1, .restorefiles[@]protonmail.ch.FROZEN, and .sorry to encrypted files.
UPDATE 1/3/2017: New version appends .email@example.com to encrypted files.
UPDATE 1/6/2017: A Globe v2 ransomware version was discovered appending .decryptional to encrypted file names.
UPDATE 1/16/2017: A new Globe v3 ransomware version appends .wuciwug to encrypted file names and drops a ransom note named READ_ME_TO_DECRYPT_YOU_INFORMA.jjj.
UPDATE 2/17/2017: New Globe v3 variant appends .happydayzz to file names.
UPDATE 2/19/2017: New Globe v3 variant appends .1 to file names.
UPDATE 2/21/2017: New Globe v3 variant appends .x3mpro to file names.
UPDATE 2/26/2017: New Globe v3 variant appends .firstname.lastname@example.org to file names.
UPDATE 2/27/2017: New Globe v3 variant appends .[File-Help@India.Com].mails to file names.
UPDATE 3/12/2017: New Globe v3 variants append .WormKiller@india.com.xtbl and .[email@example.com] to encrypted files.
UPDATE 3/15/2017: A new Globe v2 variant appends .firstname.lastname@example.org to file names.
- Bleeping Computer provides more information about Globe here.
- Emsisoft provides a decryption tool for Globe, available here.
- Emsisoft provides a decryption tool for Globe2, available here.
- Emsisoft provides a decryption tool for Globe version 3 here. This tool will decrypt files appended with .decrypt2017 and hnumkhotep.