Decrypt .write_me_[] GlobeImposter Files for Free - How to, Technology and PC Security Forum |

Decrypt .write_me_[] GlobeImposter Files for Free

This article will help you to remove and decode the GlobeImposer ransomware variant using .write_me_[] file extension.

A ransomware virus, part of the infamous Globeimposter ransomware variants has been encountered by malware researcher R0bert R0senb0rg (@drProct0r). The virus is still believed to be decryptable and uses the same wallpaper as the original GlobeImposter ransomware viruses. In this ransom note, the virus demands to contact the e-mail in order to pay a hefty ransom fee to restore the files that have been encrypted by making a ransom payoff. Luckily for victims, this variant of GlobeImposter is also decryptable. If you are one of the victims of GlobeImposter, we strongly suggest that you read the following material to learn how to decrypt files encrypted by this virus without having to pay the ransom.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computers it has infected, after which sets a ransom note as a wallpaper and demands a payoff to be made for the decryption of the encrypted data.
SymptomsThe files’ default extension is changed to .write_me_[].
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GlobeImposter


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GlobeImposter.

More About the .write_me_[] Virus

Being a typical GlobeImposter ransomware variant, this malware is spread primarily via spam e-mail messages. The ransomware may hide behind seemingly legitimate e-mail attachmeents, that pretend to be invoices, receipts or other important files. The messages in the e-mails are usually created in order to convince the victim into opening the attachment. They often pose as legitimate companies, such as FedEx, PayPal, eBay, DHL and others.

Either way, once the user opens the infection file of the ransomware, it connects to a remote host and downloads the malicious files of GlobeImposter into the victim PC. The primary infection file is an object with the following technical details, according to it’s VirusTotal profile:

After having infected the computer, this GlobeImposter variant may obtain Read and Write permissions by tampering with crucial Windows processes. Besides Read and Write permissions, GlobeImposter may also begin to modify the shadow volume copies and delete them as well as tamper with the Windows Registry Editor in order to create value strings with custom data within them. This eventually leads to the malware being ran on Windows boot.

The main activity of GlobeImposter, however is to encrypt the files on the computer infected by it. The virus may scan for and encrypt files with the following file extensions:


After the encryption process has completed, this GlobeImposter ransomware variant adds it’s distinctive file extension which makes it possible for the encrypted files to look like the following:

Luckily files, encrypted with the .write_me_[] file extension are decryptable, meaning that you can get your files back for free without having to pay the actual ransom. But before actually decrypting your files, we strongly advise you to remove the .write_me_[] file virus from your computer first, because the decryption should be done on a clean PC.

GlobeImposter Ransomware – Removal + Decryption

Before beginning to decrypt the files enciphered by this virus, we advise you to remove the virus from your computer, preferably by following the instructions below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share