.BIG4+ Files Ransomware (GlobeImposter) – Remove and Decrypt Data

.BIG4+ Files Ransomware (GlobeImposter) – How to Remove and Decrypt Data

This article has been created in order to best explain how to remove the .BIG+ variant of GlobeImposter ransomware virus from your computer and how to decrypt .BIG+ encrypted files for free without having to pay ransom.

The .BIG+ files virus is a ransomware type of infection, whose main goal is to convince victims to pay a hefty ransom fee in order to allow them to use their files which the malware has encrypted beyond the ability to be opened. After encryption, the GlobeImposter variant ads the .BIG+ file extension to the encrypted files and drops a ransom note which Is called how_to_back_files.html. Luckily, the files encoded by this virus are decryptable, so if you are one of the victims of this ransomware, we advise that you read this article and learn how you can remove it and how you can decrypt the encrypted files for free.

Threat Summary

NameBIG4+ Files Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computers that have been infected by it and then asks victims to pay ransom to get the files decrypted again.
SymptomsThe ransomware adds the .BIG4+ file extension to the encrypted files and adds a ransom note with payment instructions, called how_to_back_files.html.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by BIG4+ Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss BIG4+ Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.BIG4+ Ransomware – Distribution Methods

In order for this ransowmare virus to infect computers while remaining unnoticed it may use different tools and techniques. Firstly, it needs to slither unnoticable, this is why the malware may incorporate obfuscation software to it’s infection file, whose main goal is to conceal the infection file from any protection software that might detect it.

To slither the infection file on victims’ computers, the malware may use differeent approaches among which may be to send malicious e-mails to victims, which pretend as if they come from big companies, such as PayPal, eBay, Amazon, LinkedIn and other big companies. The e-mails are cunningly created to resemble original ones, for instance:

In addition to spreading the virus via e-mails, the malware may also reside passively while waiting for victims to download it from suspicious low-reputation websites. To such sites, the victim may be redirected as a result of having adware or other unwanted program installed on his computer. In addition to this, the ransomware may also pretend to be:

  • A setup of a program.
  • Patch.
  • Key Generator also known as keygen.
  • Game cracks.
  • Other software license activators.

.BIG4+ File Extension Ransomware – Activity

Being a variant of GlobeImposter ransomware viruses, the .BIG4+ virus may drop it’s malicious payload in the following Windows directories under different names:

After the payload of the ransomware is dropped it creates it’s ransom note file, called how_to_back_files.html. The ransom note file provides the following instructions to victims:

In addition to this, the .BIG4+ files variant of GlobeImposter ransomware aims to create multiple different types of mutexes and it may also create values in the Run and RunOnce registry sub-keys of Windows. The creation of these may ultimately result in the malicious files of the virus to run automatically on system boot. The keys in which the values may be located are the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the ransomware may also execute commands in Windows Command Prompt which may result in the deletion of the shadow volume copies by running scripts that execute the following commands as an administrator:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.BIG4+ Files Virus – Encryption Process

In order to encrypt the files on the compromised computers, the .BIG4+ files virus may scan for them based on their file extensions. The malware targets only files that are used very often, such as documents, videos, images as well as other often used types of files, for instance:


After the encryption process has finished, the ransomware adds it’s distinctive .BIG4+ file extension and after this, the encrypted files appear like the following:

Remove .BIG4 Files Virus And Decrypt Your Data

In order to make sure that you remove this ransomware virus from your computer effectively, it is reccomended that you follow the removal instructions underneath. They have been divided in manual and automatic remoal instructions so that they can help you best. If manual removal is not effective, experts often advise using an advanced anti-malware software to remove this mlware, since it will automatically remove all of the intrusive files and objects from your computer while in the same time ensuring that your computer stays protected against future infections.

If you want to decrypt encrypted files for free, we recommend that you download the decrypter by Emsisoft for GlobeImposter which is available after the removal manual underneath


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share