GlobeImposter

GlobeImposter targets Windows OS, mimics the Globe ransomware variant, and its distribution method is currently unknown. On March 16, 2017, a new version, dubbed GlobeImposter 2.0 was discovered by security researchers.

Extensions appended to encrypted file names:
.crypt, .pizdec, .FIX, .keepcalm, .vdul, .2cXpCihgsVxB3, .medal, .paycyka, .wallet, .3ncrypt3d, .skunk, .BRT92, .HAPP, .707, s1crypt, .au1crypt, .p1crypt

Ransom note file names:
HOW_OPEN_FILES.hta, how_to_recover_files.html, How_to_back_files.html, #HOW_DECRYPT_FILES#.html, RECOVER-FILES.html

Email addresses associated with GlobeImposter:
keepcalmpls@india.com, support24@india.com, happydaayz@aol.com, strongman@india.com

  • Emsisoft provides more information about GlobeImposter, as well as a free decryption tool, here.
  • The NJCCIC is not currently aware of any decryption tools available for GlobeImposter 2.0.