Remove New Globe / Purge Ransomware and Restore .GSupport3 Files - How to, Technology and PC Security Forum |

Remove New Globe / Purge Ransomware and Restore .GSupport3 Files

malware-across-the-globe-sensorstechforumAs soon as the first variant of Globe ransomware was decrypted successfully by malware researchers, it’s creators have released two new versions of the virus that include multiple modifications – Globe2 ransomware and a new third variant of Globe. The new variant uses trhe file extension .GSupport3 to encrypt the files of the victims and has already been added to most anti-malware programs’ signature database. In this article, we will demonstrate to you how to remove this iteration of Globe using the .GSupport3 file extension and how to try and restore your files if they have been encrypted.

Threat Summary


New Globe

Short DescriptionThe malware encrypts users files with encryption cipher and adds it’s custom extension as well as a ransom note where it requests users to pay 0.8 BTC in ransom ammount for the decryption of the files..
SymptomsThe user may witness ransom notes and Globe “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .GSupport has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by New Globe.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Globe/Purge Ransomware – In-Depth Analysis

Since this type of virus is reported to be an evolved variant of the JigSaw ransomware that was put for sale on the black market, the distributors may use the same tactics as the previous versions.

Distribution of Globe

These tactics are connected primarily with the active spreading of spam e-mails via third-party spamming services or services. The spammed e-mails may pretend to be legitimate files:

  • Pictures.
  • Adobe documents.
  • Microsoft Office documents.
  • Fake program setups.

These type of files may be presented by the body of the e-mail address as files that are urgent to open, like invoices, cancelled bank account documents and other “motivators” to get the user to click on them.

As soon as the files are opened the .GSupport extension using virus may download or extract it’s payload in an obfuscated manner to avoid detection by antivirus programs. The payload may be under different names and on different Windows folders, for example:

commonly used file names and folders

In addition to this, the payload of the virus has additional information on the type of file used for infection:


New Globe .GSupport Ransomware – Post Infection Activity

After already having infected the unsuspecting victim, the new variant of Globe may modify the registry sub-keys to make the malicious file run every time when Windows boots up and encrypt files. This is achievable by adding custom data in values in the following registry keys:


After this, this version of Globe may begin to encrypt user files. The virus may be pre-configured to detect any file extension associated with files that are often used, for example:


The malware uses it’s distinctive .GSupport file extension after it encrypts the files and they look like the following:


In addition to this, the file that are encrypted by this ransomware virus also can no longer be opened and Globe drops Its ransom note to demand 0.8 BTC which is approximately 500 dollars from the user of the infected computer:

Image Source: Twitter

New Globe Ransomware – Remove and Restore .GSupport Encrypted Files

It is strongly recommended to immediately focus on removing this iteration of Globe from your computer. Malware researchers recommend avoiding to pay the ransom since a decryptor may be released for free very soon.

To remove Globe Ransomware make sure that you follow the instructions below. They are designed to help you remove the malicious files of the virus. For maximum effectiveness, malware research experts strongly recommend to use an advanced anti-malware software for the removal process. It will make sure all of the files and registry that are related to Globe are safely gone for good.

In order to restore your files, first, we advise you to back them up online. For more information on how to backup your files safely, please read the article below:

Related Article: Safely Store Your Important Files and Protect Them from Malware

If you want to decrypt your files, besides trying the alternative methods in the instructions below, we urge you to try and use the information from the article below:

Related Article: Decrypt File Encrypted by Globe Purge Ransomware


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share