As soon as the first variant of Globe ransomware was decrypted successfully by malware researchers, it’s creators have released two new versions of the virus that include multiple modifications – Globe2 ransomware and a new third variant of Globe. The new variant uses trhe file extension .GSupport3 to encrypt the files of the victims and has already been added to most anti-malware programs’ signature database. In this article, we will demonstrate to you how to remove this iteration of Globe using the .GSupport3 file extension and how to try and restore your files if they have been encrypted.
|Short Description||The malware encrypts users files with encryption cipher and adds it’s custom extension as well as a ransom note where it requests users to pay 0.8 BTC in ransom ammount for the decryption of the files..|
|Symptoms||The user may witness ransom notes and Globe “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .GSupport has been used.|
|Detection Tool||See If Your System Has Been Affected by New Globe.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Globe/Purge Ransomware – In-Depth Analysis
Distribution of Globe
These tactics are connected primarily with the active spreading of spam e-mails via third-party spamming services or services. The spammed e-mails may pretend to be legitimate files:
- Adobe documents.
- Microsoft Office documents.
- Fake program setups.
These type of files may be presented by the body of the e-mail address as files that are urgent to open, like invoices, cancelled bank account documents and other “motivators” to get the user to click on them.
As soon as the files are opened the .GSupport extension using virus may download or extract it’s payload in an obfuscated manner to avoid detection by antivirus programs. The payload may be under different names and on different Windows folders, for example:
In addition to this, the payload of the virus has additional information on the type of file used for infection:
New Globe .GSupport Ransomware – Post Infection Activity
After already having infected the unsuspecting victim, the new variant of Globe may modify the registry sub-keys to make the malicious file run every time when Windows boots up and encrypt files. This is achievable by adding custom data in values in the following registry keys:
After this, this version of Globe may begin to encrypt user files. The virus may be pre-configured to detect any file extension associated with files that are often used, for example:
The malware uses it’s distinctive .GSupport file extension after it encrypts the files and they look like the following:
In addition to this, the file that are encrypted by this ransomware virus also can no longer be opened and Globe drops Its ransom note to demand 0.8 BTC which is approximately 500 dollars from the user of the infected computer:
New Globe Ransomware – Remove and Restore .GSupport Encrypted Files
It is strongly recommended to immediately focus on removing this iteration of Globe from your computer. Malware researchers recommend avoiding to pay the ransom since a decryptor may be released for free very soon.
To remove Globe Ransomware make sure that you follow the instructions below. They are designed to help you remove the malicious files of the virus. For maximum effectiveness, malware research experts strongly recommend to use an advanced anti-malware software for the removal process. It will make sure all of the files and registry that are related to Globe are safely gone for good.
In order to restore your files, first, we advise you to back them up online. For more information on how to backup your files safely, please read the article below:
Related Article: Safely Store Your Important Files and Protect Them from Malware
If you want to decrypt your files, besides trying the alternative methods in the instructions below, we urge you to try and use the information from the article below:
Related Article: Decrypt File Encrypted by Globe Purge Ransomware