A new iteration of the Globe malware family has been detected. The new Globe Virus follows the typical infection mechanisms of the malware family and uses the .frmvrlr2017 extension to mark the processed files.
|Short Description||The main goal of the Globe virus is to encrypt sensitive user files and extort the victims for a ransom fee payment.|
|Symptoms||The Globe virus component processes target files and renames them with the .frmvrlr2017 extension.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by Globe |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Globe.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Globe virus – Infection Process
The latest Globe virus sample is delivered through the usual delivery tactics that are common to the malware family. It mainly uses spam email messages that utilize social engineering tricks. The hackers receive messages that contain links or files that pose as files of user interest. They can take various forms including documents that may appear as legitimate content: invoices, letters, contracts and etc. Once they are opened a notification appears that asks the victims to run the built-in scripts. If this is done the Glove virus infection follows. A related trick is to integrate the malware code into software installers. They are made by taking the legitimate setup files from the vendors official sites and modifying them to include the virus sample. Most often the chosen payloads are popular free or trial versions of software and games.
Various hacker-controlled sites and malware scripts can be used as an alternative delivery mechanism. They can constitute fake download portals, banners, ads and redirect scripts. Related options include also file-sharing networks such as BitTorrent trackers where pirate software is usually offered.
The hackers behind the Globe virus can also take advantage of browser hijackers that represent malware browser plugins made for the most popular web browsers: Mozilla Firefox, Google Chrome, Safari, Opera and Microsoft Edge.
Globe virus – Analysis and Activity
The Globe virus that is identified with the .frmvrlr2017 extension is a new sample descendant from the Globe malware family. It appears that an unknown hacker or criminal collective has taken the original code and has customized it in a new way. The full security analysis is not yet complete but we assume that it follows the same behavior patterns as previous iterations.
Newer versions of the threat may impose a stealth protection feature that can bypass security software and various system countermeasures. Examples include anti-virus products, sandbox environments, debug programs and virtual machine hosts. The Globe virus engine can be programmed to bypass or entirely delete them. Advanced strains can remove themselves if they are unable to do so in order to evade detection.
The next component that can be launched is the information gathering one that can be used to gather important data. It is usually classified into two main groups. The first one is made up of anonymous data that mainly concerns the hardware components and operating system configuration values. The second one contains mainly personal data. It is made up by harvesting information that can identify the victim’s identity: name, location, address, age, interests, passwords and account credentials.
Follow-up malware actions can include system changes such as modifications to the Windows Registry. As a result some services and applications can stop working and serious performance issues can be caused. Modifications to the Windows Volume Manager can also give access to removable storage devices and network shares. If a network connection with the hacker-controlled servers can allow the criminals to retrieve files before they are encrypted by the ransomware engine. It can also deliver additional malware. The Globe virus can also install itself in a system folder under a false name.
Globe virus — Encryption Process
Once all components have finished execution the ransomware engine is started. Like previous Globe malware family samples it processes target files with a strong cipher (AES and RSA). Usually the target user data consists of the following file types:
Once this is done all processed files receive the .frmvrlr2017 extension. A ransomware note is generated as an application frame which is the mechanism used by some of the advanced ransomware strains. The idea behind it is that the instance will block normal user interactions with the computer until the virus is completely removed from the instance. It reads a message in Turkish that follows the usual template used by the malware engine which blackmails the victims for a ransom fee.
How to Remove Globe virus and Restore .frmvrlr2017 Encrypted Files
In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of Globe ransomware and secures your computer against future infections in real-time.
If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by .frmvrlr2017 Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.