This article will help you to remove and decode the GlobeImposer ransomware variant using .write_me_[[email protected]] file extension.
A ransomware virus, part of the infamous Globeimposter ransomware variants has been encountered by malware researcher R0bert R0senb0rg (@drProct0r). The virus is still believed to be decryptable and uses the same wallpaper as the original GlobeImposter ransomware viruses. In this ransom note, the virus demands to contact the e-mail [email protected] in order to pay a hefty ransom fee to restore the files that have been encrypted by making a ransom payoff. Luckily for victims, this variant of GlobeImposter is also decryptable. If you are one of the victims of GlobeImposter, we strongly suggest that you read the following material to learn how to decrypt files encrypted by this virus without having to pay the ransom.
Threat Summary
| Name | GlobeImposter |
| Type | Ransomware, Cryptovirus |
| Short Description | Encrypts the files on the computers it has infected, after which sets a ransom note as a wallpaper and demands a payoff to be made for the decryption of the encrypted data. |
| Symptoms | The files’ default extension is changed to .write_me_[[email protected]]. |
| Distribution Method | Spam Emails, Email Attachments, Executable files |
| Detection Tool | See If Your System Has Been Affected by GlobeImposter Download Malware Removal Tool | User Experience | Join Our Forum to Discuss GlobeImposter. |
More About the .write_me_[[email protected]] Virus
Being a typical GlobeImposter ransomware variant, this malware is spread primarily via spam e-mail messages. The ransomware may hide behind seemingly legitimate e-mail attachmeents, that pretend to be invoices, receipts or other important files. The messages in the e-mails are usually created in order to convince the victim into opening the attachment. They often pose as legitimate companies, such as FedEx, PayPal, eBay, DHL and others.
Either way, once the user opens the infection file of the ransomware, it connects to a remote host and downloads the malicious files of GlobeImposter into the victim PC. The primary infection file is an object with the following technical details, according to it’s VirusTotal profile:
After having infected the computer, this GlobeImposter variant may obtain Read and Write permissions by tampering with crucial Windows processes. Besides Read and Write permissions, GlobeImposter may also begin to modify the shadow volume copies and delete them as well as tamper with the Windows Registry Editor in order to create value strings with custom data within them. This eventually leads to the malware being ran on Windows boot.
The main activity of GlobeImposter, however is to encrypt the files on the computer infected by it. The virus may scan for and encrypt files with the following file extensions:
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
After the encryption process has completed, this GlobeImposter ransomware variant adds it’s distinctive file extension which makes it possible for the encrypted files to look like the following:
Luckily files, encrypted with the .write_me_[[email protected]] file extension are decryptable, meaning that you can get your files back for free without having to pay the actual ransom. But before actually decrypting your files, we strongly advise you to remove the .write_me_[[email protected]] file virus from your computer first, because the decryption should be done on a clean PC.
GlobeImposter Ransomware – Removal + Decryption
Before beginning to decrypt the files enciphered by this virus, we advise you to remove the virus from your computer, preferably by following the instructions below.
