Security researchers have come across a new iteration of the infamous GlobeImposter ransomware. This latest iteration appends the .gif file extension to the encrypted files. Once the encryption process is over, the .gif ransomware (also referred to as .gif file virus) urges the victim to buy a decryptor at the cost of 0.026 Bitcoin, or approximately $290. The .gif iteration of GlobeImposter gives the victim two days for the payment to be proceeded, as visible on the ransom payment page (see image).
This article provides technical details on the .gif file virus and features possible methods for file decryption that exclude ransom payment. These instructions are situated at the bottom of this page.
|Name||.gif File Virus|
|Short Description||The ransomware encrypts your files, and it shows a ransom note demanding a ransom to be paid in Bitcoin.|
|Symptoms||This ransomware will encrypt your files and place the .gif extension on each one of them.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by .gif File Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .gif File Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.gif File Virus (GlobeImposter Ransomware) Distribution
The .gif file virus, or the latest iteration of GlobeImposter ransomware, is currently being spread across the Web via spam email messages. However, other distribution methods are also possible. Security researcher Brad has analyzed a Resume.doc file carrying the .gif file virus, and these are the current detections:
Here are some detections of the payload_1.exe file which drops the ransomware on the infected system:
Keep in mind that the ransomware may also be distributed via other methods, including inside freeware packages, social media, file-sharing services. Keep in mind that it is always advisable to scan unknown files before opening them, especially when these files were sent over emails or links. Make sure to check the size and signatures of suspicious files. More ransomware prevention tips are available in our forum.
.gif File Virus (GlobeImposter Ransomware) – Encryption
It is not yet known what file extensions .gif ransomware seeks to encrypt. However, what is known is that all encrypted files will have the .gif extension appended to them. In addition, the encryption algorithm which is used by this iteration of GlobeImposter is currently unknown.
The ransomware could encrypt the following types of files:
It is highly likely that the .gif file virus is developed to erase the Shadow Volume Copies from the system by executing the following command:
vssadmin.exe delete shadows /all /Quiet
The execution of this command makes the encryption process more viable, because one of the main ways for file recovery is entirely eliminated.
As mentioned in the beginning, the ransomware is demanding a ransom payment in the size of 0.026 Bitcoin, or approximately $290.
.gif File Virus (GlobeImposter Ransomware) – Removal
If your computer got infected with the .gif iteration of the GlobeImposter ransomware, it is highly recommended to get rid of this ransomware as quickly as possible before it gets the chance to spread further and infect other computers. Instructions on how to remove the ransomware are provided below. Depending on your own experience in malware removal, you can either remove it manually or rely on an anti-malware program to do it for you.
In addition, there are alternative methods for file recovery that exclude ransom payment. You can find them in the second part of the guide below.