Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove New Globe / Purge Ransomware and Restore .GSupport3 Files

malware-across-the-globe-sensorstechforumAs soon as the first variant of Globe ransomware was decrypted successfully by malware researchers, it’s creators have released two new versions of the virus that include multiple modifications – Globe2 ransomware and a new third variant of Globe. The new variant uses trhe file extension .GSupport3 to encrypt the files of the victims and has already been added to most anti-malware programs’ signature database. In this article, we will demonstrate to you how to remove this iteration of Globe using the .GSupport3 file extension and how to try and restore your files if they have been encrypted.

Threat Summary

Name

New Globe

Type Ransomware
Short Description The malware encrypts users files with encryption cipher and adds it’s custom extension as well as a ransom note where it requests users to pay 0.8 BTC in ransom ammount for the decryption of the files..
Symptoms The user may witness ransom notes and Globe “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .GSupport has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by New Globe.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Globe/Purge Ransomware – In-Depth Analysis

Since this type of virus is reported to be an evolved variant of the JigSaw ransomware that was put for sale on the black market, the distributors may use the same tactics as the previous versions.

Distribution of Globe

These tactics are connected primarily with the active spreading of spam e-mails via third-party spamming services or services. The spammed e-mails may pretend to be legitimate files:

  • Pictures.
  • Adobe documents.
  • Microsoft Office documents.
  • Fake program setups.

These type of files may be presented by the body of the e-mail address as files that are urgent to open, like invoices, cancelled bank account documents and other “motivators” to get the user to click on them.

As soon as the files are opened the .GSupport extension using virus may download or extract it’s payload in an obfuscated manner to avoid detection by antivirus programs. The payload may be under different names and on different Windows folders, for example:

commonly used file names and folders

In addition to this, the payload of the virus has additional information on the type of file used for infection:

virustotal-detection-globe-new-gsupport-ransomware-sensorstechforum

New Globe .GSupport Ransomware – Post Infection Activity

After already having infected the unsuspecting victim, the new variant of Globe may modify the registry sub-keys to make the malicious file run every time when Windows boots up and encrypt files. This is achievable by adding custom data in values in the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

After this, this version of Globe may begin to encrypt user files. The virus may be pre-configured to detect any file extension associated with files that are often used, for example:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

The malware uses it’s distinctive .GSupport file extension after it encrypts the files and they look like the following:

encrypted-file-globe-new-sensorstechforum

In addition to this, the file that are encrypted by this ransomware virus also can no longer be opened and Globe drops Its ransom note to demand 0.8 BTC which is approximately 500 dollars from the user of the infected computer:

globe-ransomware-ransom-note-sensorstechfroum
Image Source: Twitter

New Globe Ransomware – Remove and Restore .GSupport Encrypted Files

It is strongly recommended to immediately focus on removing this iteration of Globe from your computer. Malware researchers recommend avoiding to pay the ransom since a decryptor may be released for free very soon.

To remove Globe Ransomware make sure that you follow the instructions below. They are designed to help you remove the malicious files of the virus. For maximum effectiveness, malware research experts strongly recommend to use an advanced anti-malware software for the removal process. It will make sure all of the files and registry that are related to Globe are safely gone for good.

In order to restore your files, first, we advise you to back them up online. For more information on how to backup your files safely, please read the article below:

Related Article: Safely Store Your Important Files and Protect Them from Malware

If you want to decrypt your files, besides trying the alternative methods in the instructions below, we urge you to try and use the information from the article below:

Related Article: Decrypt File Encrypted by Globe Purge Ransomware

Manually delete New Globe from your computer

Note! Substantial notification about the New Globe threat: Manual removal of New Globe requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove New Globe files and objects
2.Find malicious files created by New Globe on your PC

Automatically remove New Globe by downloading an advanced anti-malware program

1. Remove New Globe with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by New Globe
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.