Short bio

GlobeImposter, also known as Fake Globe, mimics the Globe ransomware variant. It is distributed through a malicious spam campaign, recognizable only with their lack of message content and an attached ZIP file. This type of spam is called a “blank slate.” GlobeImposter is also distributed via exploits and malicious advertising, fake updates, and repacked infected installers.

Ransom file extensions

 .402 .fuck .scorp
 .4035 .goro .sea
 .4090 .gotham .skunk
 .4091 .granny .Trump
 .452 .happ .txt
 .707 .Ipcrestore .UNLIS
 .725 .keepcalm .vdul
 .726 .LIN .wallet
 .911 .MAKB .write_me_[email]
 .f41o1 .medal .write_on_email
.2cXpCihgsVxB3 .mtk118 .write_us_on_email
.3ncrypt3d .needdecrypt .YAYA
.au1crypt .needkeys .zuzya
.BRT92 .nWcrypt .encencenc
.BUSH .paycyka .{email@aol.com}BIT
.C8B089F .pizdec .[email@cock.li].arena
.CHAK .pscrypt .lock
.clinTON .ReaGAN .Nutella
.crypt .rumblegoodboy  .waiting4keys
.FIX .s1crypt  .FREEMAN

Ransom note files

  • READ_IT.html
  • !back_files!.html
  • !SOS!.html
  • !your_files!.html
  • here_your_files!.html
  • How_to_back_files.html
  • how_to_recover_files.html
  • Read_ME.html


Malwarebytes users are already protected against the GlobeImposter ransomware.


Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language