Globe Ransomware

Posted: August 24, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	19,918
Threat Level:	10/10
Infected PCs:	116,220

First Seen:	August 24, 2016
Last Seen:	February 13, 2025
OS(es) Affected:	Windows

The Globe Ransomware is a Trojan that uses the infected PC's files for enacting hostage-ransoming scenarios. Data is held hostage by an encryption attack that also may cause incidental damage to your installed programs or operating system. Taking any steps suitable for disabling the Trojan's attacks and using anti-malware programs to delete the Globe Ransomware automatically is the recovery strategy malware experts recommend, in contrast to the risk of paying its ransom.

The Other Dangers of a Blowfish Attack

In addition to being a toxic species of fish, security analysts also know of Blowfish as an alternative data ciphering algorithm. It maintains a high level of effectiveness against decryption efforts but is less common in usage than AES. The Globe Ransomware is one of the few samples of file-encrypting Trojans that malware experts can confirm as using Blowfish, which is unsuitable for large files notably (several gigabytes or more in size). However, the encryption technique's limitations do little to reduce the potential damages of a corrupted file-encrypting attack.

The Globe Ransomware uses English-based extortion communications but regionally appears to be targeting Central Asian nations, such as Afghanistan. Its payload includes two formats of ransom messages with slightly differing contents, one of which includes extra payment details, the other of which the Globe Ransomware locks to your desktop as its background. However, its primary attack and symptoms are related to encryption:

The Globe Ransomware uses the Blowfish cipher to modify the data of your files, encrypting them and stopping other programs from interpreting their contents correctly. Although Blowfish uses a much smaller block size compared to AES-256, it's equally viable for the practical purpose of preventing a PC's owner from accessing small documents, images, music and similar information. The attack may be re-initiated after the system restarts, causing increasingly more content to be attacked.
It also renames the enciphered content with the insertion of an e-mail address (as a means of ransom communications).
The Globe Ransomware also deletes local Windows backups (known as Shadow Copies) to deprive its victims of the most on-hand method of recovering any files.
Various Windows security and recovery features can become disabled, including Windows Startup Repair.

Smashing a the Globe of File-Encrypting Venom

The Globe Ransomware follows with many of the trends in file encryption Trojans today, including preferring Bitcoin ransoms, relying on e-mail messages heavily, and targeting narrow regions of the world. Although using Blowfish is a technically notable feature, this difference provides little hope of vulnerabilities that could help a victim recover encrypted content through free methods. PC owners that invested in their data always should take the proper steps for protecting it, including using backups out of the reach of Trojans like the Globe Ransomware.

When security software doesn't block it preemptively, the Globe Ransomware's symptoms are highly visible. Malware experts haven't confirmed evidence of its infection methods, which could include e-mail attachments, drive-by-downloads hosted in malvertising content, or 'brute force' attacks against poorly protected networks. All of these methods are blockable by standard security protocols that are less difficult than decrypting a Blowfish cipher significantly.

Between common security standards and having anti-malware equipment for removing the Globe Ransomware on sight, paying a con artist a fee to get your data back is the worst option available clearly.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Globe Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner*

* See Free Trial offer below. EULA and Privacy/Cookie Policy. * See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%ALLUSERSPROFILE%\!!! READ THIS - IMPORTANT !!!.hta

File name: !!! READ THIS - IMPORTANT !!!.hta
Size: 4.48 KB (4488 bytes)
MD5: 2b7bd31fd3447cd1b0e0bdfd690b0740
Detection count: 1,035
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%
Group: Malware file
Last Updated: August 23, 2017

%LOCALAPPDATA%\HOW_OPEN_FILES.hta

File name: HOW_OPEN_FILES.hta
Size: 9.82 KB (9826 bytes)
MD5: e3b9bb7ca0576dfe90e94aac1d333630
Detection count: 176
Mime Type: unknown/hta
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: April 15, 2017

%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\How to restore files.hta

File name: How to restore files.hta
Size: 4.01 KB (4014 bytes)
MD5: 503478dce7398eac1ce8cc7db0fea7b9
Detection count: 82
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: August 23, 2017

%LOCALAPPDATA%\trust.exe

File name: trust.exe
Size: 64.51 KB (64512 bytes)
MD5: 668c83c1f7f13259ab5d1699ea24d17f
Detection count: 46
File type: Executable File
Mime Type: unknown/exe
Path: %LOCALAPPDATA%
Group: Malware file
Last Updated: September 1, 2016

file.exe

File name: file.exe
Size: 28.95 KB (28952 bytes)
MD5: a464f7bc0431292d74ad66403efbf691
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

More files

Registry Modifications

The following newly produced Registry Values are:

File name without pathHow To Recover Encrypted Files.htaHow To Recover Encrypted Files.htmlHow to restore files.htaHOW_OPEN_FILES.htaRead Me Please.htaHKEY..\..\..\..{RegistryKeys}Software\Microsoft\Windows\CurrentVersion\Run\How To Recover Encrypted Files