GlobeImposter Ransomware (.Horriblemorning variation) Removal Guide

Do you know what GlobeImposter Ransomware (.Horriblemorning variation) is?

As the name suggests, GlobeImposter Ransomware (.Horriblemorning variation) is a new variation of a threat called Globeimposter Ransomware. From what we have learned about this malicious application, it looks like its developers are after computers that belong to businesses or other organizations. The malware encrypts files that could be important on its infected machines and then displays a ransom note, which explains that victims have to pay 1 BTC if they want to decrypt their files. To learn more about the threat’s working manner, we encourage you to read our full report. Just a bit below the text, you should find our removal guide that shows how to erase GlobeImposter Ransomware (.Horriblemorning variation) manually. If you have any questions, you can also leave us a message at the end of this page.

Whether you have encountered GlobeImposter Ransomware (.Horriblemorning variation) or not, the first thing you may want to learn is how it could be distributed. Our researchers say that the malware might get in while exploiting a targeted machine’s weaknesses, such as unsecured RDP (Remote Desktop Protocol) connections or vulnerabilities of unpatched software. Therefore, taking care of your system’s weaknesses should be one of your top priorities if you want to keep away from malicious applications alike.

Moreover, the malware’s creators could send it via email. To make such messages seem trustworthy, hackers could pretend to be working for a reputable organization or customers of the company they target. Inside such messages, victims may find attachments or links leading to files that may seem like documents. To avoid opening malicious attachments, we recommend scanning them with a reputable antimalware tool first. As for links, it is vital to scrutinize them to make sure that they will take you to where it is said that they should. Also, even if a link seems reliable, we still advise scanning files downloaded via links received from unknown sources if you wish to protect your device from threats like GlobeImposter Ransomware (.Horriblemorning variation).GlobeImposter Ransomware (.Horriblemorning variation) screenshot
Scroll down for full removal instructions

After entering a system, GlobeImposter Ransomware (.Horriblemorning variation) should encrypt text files, pictures, and other types of data that could be irreplaceable to the victim. According to our researchers, the malicious application ought to mark encrypted files with the .Horriblemorning extension, for example, Forest.jpg.Horriblemorning. Soon after encryption, the threat should create a file called how_to_back_files.html. Opening it should load a page with a ransom note. As said earlier, the text suggests paying a ransom in exchange for receiving decryption tools. It might also propose sending a couple of files for free decryption. Hackers may claim that they offer such service as a way to provide their victims with a guarantee. It would only confirm that the cybercriminals have needed decryption tools, but not that they will send them to you. Thus, paying a ransom would still be risky.

If you decide you do not want to pay hackers and risk losing your money for nothing, we encourage you to delete GlobeImposter Ransomware (.Horriblemorning variation). One of the ways to get rid of it is to complete the instructions provided in our removal guide located below this paragraph. The other way to eliminate the threat is to install a reliable antimalware tool, scan your computer with it, and then click the displayed deletion button.

Erase GlobeImposter Ransomware (.Horriblemorning variation)

1. Restart your computer in Safe Mode with Networking.
2. Click Windows Key+E.
3. Navigate to the suggested paths:
   %TEMP%
   %USERPROFILE%Desktop
   %USERPROFILE%Downloads
4. Find a file that could be the ransomware’s launcher, right-click the malicious file, and select Delete.
5. Go to: %LOCALAPPDATA%
6. Look for a randomly named .exe file that should belong to the malware, right-click it, and choose Delete.
7. Search for files named how_to_back_files.html, right-click them, and choose Delete.
8. Exit File Explorer.
9. Press Windows Key+R, type Regedit, and choose OK.
10. Navigate to this path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
11. Look for a value name created by the threat, for example, BrowserUpdateCheck, right-click this value name, and press Delete.
12. Close the Registry Editor.
13. Empty Recycle bin.
14. Restart the computer.

In non-techie terms:

GlobeImposter Ransomware (.Horriblemorning variation) is a dangerous application that encrypts valuable data and shows a note that asks a significant amount of money to pay for their decryption. To be more precise, the ransom is 1 BTC, which currently is more than seven thousand US dollars. For users who encounter it, we advise not to make rash decisions and think carefully whether they want to risk losing such a considerable sum. Whatever the malware’s creators may say, there are no guarantees that they will give you the promised decryption tools. If you decide not to put up with their demands, we recommend deleting GlobeImposter Ransomware (.Horriblemorning variation) with the removal guide placed above or a reputable antimalware tool that you like.