Ransom.GlobeImposter

Short bio

GlobeImposter, also known as Fake Globe, mimics the Globe ransomware variant. It is distributed through a malicious spam campaign, recognizable only with their lack of message content and an attached ZIP file. This type of spam is called a “blank slate.” GlobeImposter is also distributed via exploits and malicious advertising, fake updates, and repacked infected installers.

Ransom file extensions

 .402 .BIG1 .scorp
 .4035 .goro .sea
 .4090 .gotham .skunk
 .4091 .granny .Trump
 .452 .happ .txt
 .707 .Ipcrestore .UNLIS
 .725 .keepcalm .vdul
 .726 .LIN .wallet
 .911 .MAKB .write_me_[email]
 .f41o1 .medal .write_on_email
.2cXpCihgsVxB3 .mtk118 .write_us_on_email
.3ncrypt3d .needdecrypt .YAYA
.au1crypt .needkeys .zuzya
.BONUM .NIGGA ..doc
.BRT92 .nWcrypt .encencenc
.BUSH .paycyka .{email@aol.com}BIT
.C8B089F .pizdec .[email@cock.li].arena
.CHAK .pscrypt .lock
.clinTON .ReaGAN .Nutella
.crypt .rumblegoodboy  .waiting4keys
.FIX .s1crypt  .FREEMAN

Ransom note files

Remediation

Malwarebytes users are already protected against the GlobeImposter ransomware.