Curricula - Knowledge - Navigation

The Globeimposter Ransomware

According to Cyware cyber-attacks using the ransomware Globeimposter are becoming more common.

Attacks using Globeimposter, also known as Fake Globe, have been increasing over the course of the year, according to Cyware (2019). However, the ransomware is constantly updated and changed. As such, Globeimposter 2.0 was responsible for 6.5% of all ransomware strains detected between April and September 2019.

The ransomware is mainly spread through e-mail campaigns. As such it is delivered via a Zip file attached to a malicious email. However, there are account of its distribution using exploits, malicious advertising and fake updates.

Once on a computer the ransomware creates three files:

  • %Temp%\qfjgmfgmkj.tmp
  • %Temp%\hjkhkHUhhjp.bat
  • [PATH TO ENCRYPTED FILES]\how_to_back_files.html

By checking for the existence of the first file, the ransomware ensures not to infect a device twice. If the first file is already present, the ransomware will not infect the system while continuing to exist on the device.

Having successfully compromised a computer, the ransomware encrypts all files and deletes their shadow copies. This is followed by a ransom note demanding payment for the decryption of the compromised files. The payment is made in bitcoins and can be anywhere between 1 and 10, according to Cyware (2019). Based on the current exchange rate (21.10.2019) this means between 7.378 to 73.788 Euros. In comparison, the famous wannaCry ransomware , received 327 payments totalling US$130,634.77 by 14 June 2017, having been launched in May 2017, according to  actual ransom.

Thus, on average the wannaCry ransomware extracted around 358 Euros per person, making the Globeimposter a much more expensive ransomware.


Notes: This article is mainly based on a similar Cyware article.

Author: Niklas Hamann


Stewart, Ryan (2019). A Glance at the ever evolving Globeimposter Ransomware. In: Cyware Available at:


ransomware, Globeimposer, cybercrime