.fuck Ransomware — How to Remove Globe Imposter Virus

.fuck Ransomware — How to Remove Globe Imposter Virus

This article will aid you to remove .fuck Ransomware. Follow the ransomware removal instructions provided at the end of the article.

.fuck Ransomware is one that encrypts your data and demands money as a ransom to get it restored. Files will receive the .fuck extension. The .fuck Ransomware will leave ransomware instructions as a desktop wallpaper image. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

Name.fuck ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files by placing the .fuck before the affected files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .fuck ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .fuck ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.fuck Ransomware – Distribution Techniques

The .fuck ransomware is being distributed using a global attack campaign. The captured samples are based on the Globe Imposter ransomware family and they are widely known for using several popular methods.

A very popular method is the coordination of email SPAM messages which contain various phishing scams. The recipients will be coerced to interact with the built-in content by spoofing Internet companies or popular services. The users will be guided into believing that they are receiving legitimate notifications and will follow the instructions given — to install new software, apply updates or another behavior that will lead to the .fuck ransomware infection. The files themselves are usually linked in the body contents, in other cases they can be attached directly to the messages.

A similar technique is the creation of fake download sites — they will impersonate well-known sites, vendor landing pages or download portals and spread the virus files. The use of stolen design elements and self-signed security certificates. Together with the emails and other major mechanisms they are known for spreading malicious payloads:

  • Software Installers — The virus code can be embedded in application setup files across all popular software that are downloaded by end users. They range from system utilities and productivity apps to creativity suites. Once the process is started the ransomware infection will begin.
  • Infected Documents — The virus installation code can be found in scripts that are embedded across all popular types of documents: spreadsheets, rich text documents, databases and presentations. Whenever they are opened by the users a prompt will be spawned asking for the built-in macros to be enabled. If this is done the virus infection will follow.

The infected payloads can also be uploaded to various file-sharing networks like BitTorrent. This is often considered one of the most widely used tactics as they these networks are both used to spread legitimate content and pirate versions of both software and games. In all of these cases ransomware infections are spread.

Large-scale attacks may also employ browser hijackers which represent malicious plugins made for the most popular web browsers. They are widely distributed on the repositories belonging to the most popular web browsers. The hackers behind the hijacker will utilize fake user reviews and developer credentials in order to coerce the victims into installing them. Promises of new feature additions and optimizations will be offered.

.fuck Ransomware – Detailed Analysis

The captured .fuck ransomware samples belong to the Globe Imposter malware family. It is very possible that the malicious actors have obtained the source code and created their own custom version with the .fuck extension by themselves. Another option is to order them from the underground markets. This means that updates to its engine are expected.

The preliminary analysis reveals that it incorporates many of the features found within advanced threats. As soon as it is deployed onto the victim machines it will immediately attempt to infect the systems with a stealth bypass. This means that the virus files will look for security software and system services that can delete it. It will use various techniques in order to bypass and evade detection by them, usually in the end they will be either deleted or reconfigured to a non-working state. After a successful intrusion is done the .fuck ransomware engine will continue with data harvesting. Two groups of information will be extracted:

  • Personal Information — The harvested information can be used to directly expose the identity of the users. The engine will collect data such as their name, address, phone number and any stored account credentials. This is possible as the virus will obtain access to the hard disk contents, operating system services and Windows Registry.
  • Campaign Metrics and Victim ID Information — The .fuck ransomware engine can construct an unique ID that is associated with every infected machine. Most of them are made by utilizing an algorithm taking the input values from a generated report of the installed hardware components. Other information that can be hijacked includes user settings, regional-set preferences and operating system conditions.

As soon as these steps have completed the .fuck ransomware will have obtained access to the whole system enabling it to cause various changes to the infected machines.

The main engine create many processes and hook up to existing ones, including services and system applications. Common modifications include changes to the Windows Registry — this can impact both operating system services and third-party applications. Certain functions can be rendered unusable or the the whole programs can fail to start altogether. Other consequences include overall performance issues. These modifications are also connected with the persistent installation type. If this is done the malware will be started as soon as the computer is started making manual user removal very difficult.

Ransomware infections, especially advanced strains such as this one, can also lead to the installation of ther malware. Typical examples are the following:

  • Trojans — They will not only report the collected information during the data harvesting phase, but also establish a secure connection to a hacker-controlled server. It will be used by the hacker operators to spy on the victims in real-time, steal their files and install other threats.
  • Cryptocurrency Miners — They will download resource-intensive tasks that will take advantage of the available hardware resources. When running they will consume resources such as the CPU, GPU, memory and hard disk space. Upon completion of any of the tasks the hacker operators will receive income in the form of digital currency (usually Bitcoin) that will be wired automatically to their digital wallets.
  • Browser Hijackers — They represent malicious browser plugins that are made compatible with the most popular web browsers. As soon as they are installed they will change the default settings and redirect the users to a hacker-controlled domain.

In addition the captured .fuck ransomware samples have been found to delete system data such as Shadow Volume Copies and Backups. This will make recovery very difficult unless a backup restore solution is used, refer to our instructions for more details.

Further updates may bring other changes to the infected computers.

.fuck Ransomware – Encryption Process

The encryption engine will be launched when all all modules have finished running. It will use a strong cipher as typical to the Globe imposter family from which it is descendant. Like previous samples a built-in list of target file type extensions. Example contents includes the following:

  • Archives
  • Backups
  • Databases
  • Images
  • Music
  • Videos

All victim files will be renamed with the .fuck extension and the associated ransomware note will be crafted in a file called README_BACK_FILES.htm. We have also received reports that the same virus can also encrypt files with the .gsg extension. This is evident of the fact that several attack campaigns may be spread at once.

The ransomware note will begin with the unique infection ID, after it the following contents is written:



To recover data you need decryptor.

To get the decryptor you should:
Send 1 crypted test image or text file or document to [email protected] ||| [email protected]
In the letter include your personal ID (look at the beginning of this document).
We will give you the decrypted file and assign the price for decryption all files

We can decrypt one file in quality the evidence that we have the decoder.


Do not contact other services that promise to decrypt your files, this is fraud on their part ! They will buy a decoder
from us, and you will pay more for his services. No one, except [email protected] ||| [email protected], will decrypt your files.

Only [email protected] ||| [email protected]
Antivirus programs can delete this document and you can not contact us later.
Attempts to self-decrypting files will result in the loss of your data

Remove .fuck Ransomware and Try to Restore Data

If your computer system got infected with the .fuck ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share