How to remove GlobeImposter (.726) virus and restore encrypted files

 

GlobeImposter ransomware virus

 

Today we will talk about a virus that has become a real leader in the number of infected computers during the last week. This virus is called GlobeImposter, but it can also be known by the name .726 ransomware. This virus spreads very quickly, but its main feature is a huge number of versions. Since the August 1, there have been more than ten viruses identical to 726 in their structure. They are using other images, another ransom notes and another extensions for encrypted files but their code is exactly the same. Here is the list of extensions used, but we can not consider it complete, because several other clones could appear at the time of writing this article.

 

".726", “.725”, “.492”, ".515", ".707", “.626”, ".3ncrypt3d", ".2cXpCihgsVxB3", ".au1crypt", “.astra”, ".BRT92", “.blcrypt”, “blscrypt”, “.coded”, ".cryptch", ".crypt", ".GLAD", ".GORO", ".GOTHAM", ".GRAF", ".HAPP", ".PLIN", ".sea", ".help", ".RECT", ".ocean", ".rose", "This email address is being protected from spambots. You need JavaScript enabled to view it.", "p1crypt", ".MAKB", ".skunk", ".s1crypt",.nopasaran, "This email address is being protected from spambots. You need JavaScript enabled to view it.", ".VAPE", ".pscrypt", ".oni", ".pizdosik", "This email address is being protected from spambots. You need JavaScript enabled to view it.","This email address is being protected from spambots. You need JavaScript enabled to view it.", ".fix", ".virginprotection", ".WRITE_US", ".MIXI", ".troy", ".write_us_on_email", ".PRIAPOS", ".nCrypt", ".hNcrypt", ".medal", ".paycyka", ".vdul", ".keepcalm", ".legally", ".wallet", ".pizdec", ".mtk118".

 

It's safe to say that so far no virus has been so popular among scammers and has been copied so many times in such a short time. What is the reason for such popularity of GlobeImposter? Alas, we can only assume this, and most likely it's the correct promotion of virus on the Dark Web and the fact that it was posted on the popular online shop of malicious software. All these similar viruses are not updates from creators - these are the complete copies used by different scammers in order to earn some easy money. The virus has not changed during the last week, which means that files encrypted with any of these viruses can be decrypted using a single program.

What do we know about the 726 virus and its side versions? The virus uses traditional methods of entering the system associated with spam e-mail. The ransom amount is 1 BTC or approximately 950 dollars at the current exchange rate. Notes with redemption requirements are almost the same, and do not report any data on the structure of the virus and the encryption algorithms used. Here is an example of a standard note:

 

Your files are encrypted!
All your important data has been encrypted.
To recover data you need decryptor.
To get the decryptor you should:
pay for decrypt:
site for buy bitcoin:
Buy 1 BTC on one of theses site:
1. localbitcoins.com
2. coinbase.com
3. xchange.cc
Bitcoin address to pay: 16G8L4oJs87e7kACZ6W4PNZLsXAkxxXsuWe
Send 1 BTC for decrypt. After the payment: Send screenshot of payment to This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it.. In the letter include your personal ID (look at the beginning of this document). After you will receive a decryptor and instructions. Attention! No Payment = No decryption. You really get the decryptor after payment. Do not attempt to remove the program or run the anti-virus tools. Attempts to self-decrypting files will result in the loss of your data. Decoders other users are not compatible with your data, because each user’s unique encryption key.

 

None of the GlobeImposter variants does have a website, because scammers make all transactions using e-mail, which also indicates scammers’ low level of organization, unprofessionalism and limited opportunities. Finally, the most important indicator is that new versions of the virus continued to appear even after AV-vendor EmsiSoft released a decryptor for GlobeImposter files. If you are a victim of any version of the virus - just follow this link, download the program and restore your data for free.

How to delete GlobeImposter Virus

Now that you know what GlobeImposter is and how to restore the files, there is only one question: how to remove the virus from the system? The fact is that GlobeImposter, like most other ransomware, is able to delete your data permanently if you try to remove the virus. To avoid this, you should use our instructions to remove GlobeImposter. If you have a backup of your files, or a backup of the system - do not download it until you remove the virus! The virus will still remain in the system, and will also infect the backup, making it useless. Exactly follow all the instructions in the instructions and soon you will get rid of GlobeImposter forever!

 

Download Spyhunter - Anti-malware scanner

Why we recommend SpyHunter

Spyhunter removes malware fully

It protects the system against all kinds of threats: viruses, adware and hijackers

24/7 Free Support Team

More about Spyhunter: User manual, System requirements, Terms of service, EULA and Privacy policy


Removal instruction

 

 

 

Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1

 

  • Select Boot tab

Safe mode. Step 2

 

 

  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode

 

Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1

 

  • Select Appearance and Personalization

Show hidden files. Step 2

 

  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3

 

  • Press Ok

 

Step 3. Remove virus files

 

Check next folders to find suspicious files:

  • %TEMP%
  • %APPDATA%
  • %ProgramData%

 

Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder

Hosts_file_location

 

  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:

Hosts_file

 

Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus

 

Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot

 

 

 

Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code
Refresh

 Norton_scan_results

Google_SafeBrowsing_scan_results

AVG_Scan_results

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?

 

This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.

 

Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

White Ops unveiled the biggest botnet ever, called Methbot

White Ops cyber-security company revealed the largest botnet in history, called Methbot. In this article you’ll find full information about the net, its width and possible methods to shut it down.

 

This website uses cookies to improve your experience