GlobeImposter targets Windows OS, mimics the Globe ransomware variant, and its distribution method is currently unknown. On March 16, 2017, a new version, dubbed GlobeImposter 2.0 was discovered by security researchers.

Extensions appended to encrypted file names:
.crypt, .pizdec, .FIX, .keepcalm, .vdul, .2cXpCihgsVxB3, .medal, .paycyka, .wallet, .3ncrypt3d, .skunk, .BRT92, .HAPP, .707, s1crypt, .au1crypt, .p1crypt, .GOTHAM, .crypt, .rose, .ocean, .Mixi, .725, .726, .help, .sea, .mtk118, .492, .astra, .coded, .txt, .ACTUM, .GRAFF, .JEEP, .BONUM, .GRANNY, .LEGO, .D2550A49BF52DFC23F2C013C5, .rumblegoodboy, .zuzya, .UNLIS, .0402, .Trump, .ReaGAN, .C8B089F, .needdecrypt, .write_on_email, .clinTON, .BUSH, .911, .apk .arena, .crypted!, .DREAM, .suddentax, .Nutella, .emilysupp

Ransom note file names:
HOW_OPEN_FILES.hta, how_to_recover_files.html, How_to_back_files.html, #HOW_DECRYPT_FILES#.html, RECOVER-FILES.html, !back_files!.html, !your_files!.html, here_your_files!.html, Read_ME.html, !SOS!.html

Email addresses associated with GlobeImposter:,,,,,,,,,,,,,,,

UPDATE 8/3/2017: According to security researcher Michael Gillespie, creator of ID Ransomware, there has been a growing GlobeImposter ransomware campaign impacting the US and the EU over the past month. has also detected multiple instances of malspam distributing the GlobeImposter ransomware variant and provides indicators of compromise associated with these campaigns on their website.

  • Emsisoft provides more information about GlobeImposter, as well as a free decryption tool, here.
  • The NJCCIC is not currently aware of any decryption tools available for GlobeImposter 2.0.