Remove Globe Ransomware and Restore .Purge Encrypted Files - How to, Technology and PC Security Forum |

Remove Globe Ransomware and Restore .Purge Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

globe-ransomware-encryption-sensorstechforumPart of the Purge ransomware variants the Globe virus has begun infecting PCs and encrypting their files after which appending the .purge extension to the encoded files. The aes-256 encryption algorithm may be used by the Globe malware to scramble the user files. In addition to this, Globe ransomware may also utilize a Cipher Block Chaining mode that breaks the files that are encrypted if the user tries to decode them. Not only this, but Globe ransomware may make users pay ransom payoff for the decryption of these files, and it may perform this via a service known as Bitmessage. Everyone who has become victims of this ransom virus is strongly advised to read this article thoroughly and remove Globe ransomware after which attempt the below suggested methods to try and restore your files.

Image Source: BleepingComputer

Threat Summary


Globe Ransomware

Short DescriptionGlobe ransomware may encrypt users’ files with a strong AES-256 encryption algorithm and after that drops a “How to restore files.hta” file with ransom instructions.
SymptomsFiles with removed icons that cannot be opened with any software and have the .purge file extension.
Distribution MethodVia an Exploit kit, JavaScript attack or Trojan.Downloader.
Detection Tool See If Your System Has Been Affected by Globe Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss Globe Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Globe Ransomware – Spreading Methods

For it to infect the maximum possible amount of users, Globe ransomware may use phishing e-mails and spread those e-mails via spam e-mail campaigns. For those who are unfamiliar, phishing e-mails aim to imitate original e-mails sent out by legitimate companies or individuals to fool users into opening an attachment or visit a web link.

Here are some of the e-mail topics that may spread Globe Ransomware:

“The bank account has been discontinued.”
“Your payment has been confirmed.”
“We have started to process your order.”

The attachments that are associated with this e-mail may pretend to be legitimate files, like Microsoft Office Documents, Adobe Reader Files, and others to increase trustworthiness and likelihood for the user to open them.

Globe Ransomware More Information

As soon as Globe Ransomware has been activated on the user PC, it may connect to a remote host and download it’s payload onto the computer. The payload contains a malicious executable and a .hta file but may contain other support modules as well. The malicious file may be dropped in several different Windows folders under different names. The usually targeted folders are:

commonly used file names and folders

After this has been done, Globe Ransomware may perform an activity setting it’s malicious files to run on startup. This may happen if this virus drops its file in:

→C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

The virus may also attack the Windows Registry Editor, adding value strings to run it’s executable in the following registry keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Globe Ransomware also executes the following commands in Windows Command Prompt without the user noticing:

→vssadmin.exe Delete Shadows /All /Quiet
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

After this has been done and it’s encryption file file is ran, Globe ransomware begins to encrypt files of affected users. The files that have been reported to be affected are primarily videos, picture files, database files, audio files, database files, files belonging to Microsoft Office and other objects associated with different programs that are often used.

The files that have been encrypted by Globe Ransomware are reported to be appended the .purge extension, suggesting that Purge ransomware may have been uploaded for sale in the deep web forums, or the team behind it may have released another variant. Either way, encrypted files may look like the following:


Since Globe ransomware is very similar to Purge ransomware, it may also use a very powerful AES-256 encryption algorithm in combination with RSA cipher that locks the decryption key generated after the process is complete.

Not only this, but there is the likelihood of Globe Ransomware using an advanced encryption mechanism, known as CBC – Cipher Block Chaining. This is a type of encryption mode that structures the encrypted files in a block chain, and if a user begins to tamper with them and their structure, the encrypted files may become permanently corrupt, making decryption 100% impossible even you pay the ransom.

Globe Ransomware – Conclusion, Removal, and File Restoration Methods

To delete Globe ransomware completely from your computer, we advise you to follow carefully the step-by-step instructions posted below and remove this threat methodologically. For maximum effectiveness, malware researchers advise removing Globe Ransomware by using an advanced anti-malware tool that will automatically find any objects dropped by it and permanently remove them as well as protect your computer in the future as well.

Files encrypted by Globe ransomware are dangerous to directly decrypt them. This is why we advise making copies or backing up the encrypted files and attempt to use different decryptors on those files instead of risking to damage the original ones. More information and file restoration methods you may also find if you click on step “3. Restore files encrypted by Globe Ransomware” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share