Globeimposter 2.0 Ransomware Removal Guide

Do you know what Globeimposter 2.0 Ransomware is?

Globeimposter 2.0 Ransomware is the new version of an infection that goes by the same name. After researching this new variant, our research team has come to a conclusion that several different versions of this threat exist. We discuss the differences later in this report. This particular infection has the potential to delete shadow volume copies, which, unfortunately, means that once the files are encrypted, they cannot be recovered from a system backup. On the other hand, if your files are backed up online or on an external drive, there is no doubt that you can recover them. Of course, you should do that after you remove Globeimposter 2.0 Ransomware. In case your files are not backed up, you might be unable to recover them at all. Even if you follow the demands introduced to you via the ransom note down to a tee, you are unlikely to get your files restored.

Were you files encrypted soon after you opened a suspicious spam email attachment or downloaded an unfamiliar program? You should be able to link the attack to something because Globeimposter 2.0 Ransomware cannot appear out of nowhere. Unfortunately, the encryption process is silent, and the victim realizes that their files were corrupted only after they discover that their files are unreadable and after the ransom notes become available. As mentioned before, there are at least two different versions of this threat. The first one appends the “.pizdec” extension, and the ransom note file it creates is called “how_to_open_files.html”. This file represents an ID number and a demand to pay 10 BTC (currently, this converts to 34,956 USD or 29,710 EUR). You are asked to transfer this ridiculously huge ransom to 17JW8hLDrnnAiRjcavsrnicUSkFCLFofwK. At the time of research, 26 transactions had been made to this Bitcoin Wallet, accumulating to 50.255 BTC. After paying the ransom, the victims of this version of Globeimposter 2.0 Ransomware are also asked to send the screenshot of the payment to Instead of following these instructions, you should remove the infection.Globeimposter 2.0 Ransomware Removal GuideGlobeimposter 2.0 Ransomware screenshot
Scroll down for full removal instructions

The second version of the malicious Globeimposter 2.0 Ransomware appends the “.725” extension, and the ransom note file it uses is called “RECOVER-FILES.html”. This version does not reveal as many details as the first one, and the only thing that the user can do is click the “Yes, I want to buy” button, which should help victims purchase an allegedly functional decryptor. It is most likely that in this version, the creator of the ransomware uses emails to communicate with victims and present the demands directly to them. Both versions of the devious Globeimposter 2.0 Ransomware are capable of reading the victim’s computer name, and they can remove entries from the Remote Desktop Connection. Furthermore, they can modify IE security settings. Our research team has also found that this malware can connect to over 60 different C&C servers. Undoubtedly, it is risky to keep this infection active for much longer, and even if you do not recover your files, you must delete it ASAP.

Deleting Globeimposter 2.0 Ransomware is not very difficult, and most users will be able to get rid of this dangerous threat using the guide below. What if you cannot erase the infection manually? In fact, our research team advises installing anti-malware software regardless of the situation, not only because it can erase existing threats automatically but also because that is important for your virtual security. If you think you can keep your operating system malware-free yourself, you could be very wrong. Even huge government organizations and companies fail to keep ransomware away, and so it is best to take caution. First, install legitimate and up-to-date anti-malware software – it will remove Globeimposter 2.0 Ransomware automatically – and then set up a file backup system outside of your operating system. Also, exercise caution when working on your computer.

Remove Globeimposter 2.0 Ransomware

  1. Simultaneously tap Win+E to launch Windows Explorer.
  2. Enter %PUBLIC% into the bar at the top.
  3. Right-click and Delete the {random name}.exe file.
  4. Simultaneously tap Win+R to launch RUN.
  5. Type regedit.exe into the dialog box and click OK.
  6. In Registry Editor navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce.
  7. Right-click and Delete the value named CertificatesCheck (this value is linked to the malicious .exe file).
  8. Empty Recycle Bin to erase the malicious threat completely.
  9. Investigate your operating system using a legitimate malware scanner.

In non-techie terms:

Globeimposter 2.0 Ransomware is a serious infection that can encrypt your files and even delete shadow volume copies to prevent you from recovering personal data. Unfortunately, if your files are not backed up outside your PC, you might be unable to recover them. Not only is the ransom – which you are suggested to pay in return of some decryptor – ridiculously huge, there also is no guarantee that this transaction would work. In fact, you are more likely to be left empty-handed. While it is possible to delete Globeimposter 2.0 Ransomware manually, it is strongly recommended that all users utilize trusted anti-malware software to ensure that malicious threats are automatically removed and then kept away from your operating system in the future.