.gif File Virus (GlobeImposter) - Remove and Restore Files

.gif File Virus (GlobeImposter) – Remove and Restore Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Security researchers have come across a new iteration of the infamous GlobeImposter ransomware. This latest iteration appends the .gif file extension to the encrypted files. Once the encryption process is over, the .gif ransomware (also referred to as .gif file virus) urges the victim to buy a decryptor at the cost of 0.026 Bitcoin, or approximately $290. The .gif iteration of GlobeImposter gives the victim two days for the payment to be proceeded, as visible on the ransom payment page (see image).

This article provides technical details on the .gif file virus and features possible methods for file decryption that exclude ransom payment. These instructions are situated at the bottom of this page.

Threat Summary

Name.gif File Virus
Short DescriptionThe ransomware encrypts your files, and it shows a ransom note demanding a ransom to be paid in Bitcoin.
SymptomsThis ransomware will encrypt your files and place the .gif extension on each one of them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .gif File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .gif File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.gif File Virus (GlobeImposter Ransomware) Distribution

The .gif file virus, or the latest iteration of GlobeImposter ransomware, is currently being spread across the Web via spam email messages. However, other distribution methods are also possible. Security researcher Brad has analyzed a Resume.doc file carrying the .gif file virus, and these are the current detections:

Here are some detections of the payload_1.exe file which drops the ransomware on the infected system:

Keep in mind that the ransomware may also be distributed via other methods, including inside freeware packages, social media, file-sharing services. Keep in mind that it is always advisable to scan unknown files before opening them, especially when these files were sent over emails or links. Make sure to check the size and signatures of suspicious files. More ransomware prevention tips are available in our forum.

.gif File Virus (GlobeImposter Ransomware) – Encryption

It is not yet known what file extensions .gif ransomware seeks to encrypt. However, what is known is that all encrypted files will have the .gif extension appended to them. In addition, the encryption algorithm which is used by this iteration of GlobeImposter is currently unknown.

The ransomware could encrypt the following types of files:

  • Audio
  • Video
  • Database
  • Document
  • Picture

It is highly likely that the .gif file virus is developed to erase the Shadow Volume Copies from the system by executing the following command:

vssadmin.exe delete shadows /all /Quiet

The execution of this command makes the encryption process more viable, because one of the main ways for file recovery is entirely eliminated.

As mentioned in the beginning, the ransomware is demanding a ransom payment in the size of 0.026 Bitcoin, or approximately $290.

.gif File Virus (GlobeImposter Ransomware) – Removal

If your computer got infected with the .gif iteration of the GlobeImposter ransomware, it is highly recommended to get rid of this ransomware as quickly as possible before it gets the chance to spread further and infect other computers. Instructions on how to remove the ransomware are provided below. Depending on your own experience in malware removal, you can either remove it manually or rely on an anti-malware program to do it for you.

In addition, there are alternative methods for file recovery that exclude ransom payment. You can find them in the second part of the guide below.


Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share