How to remove GlobeImposter (.726) virus and restore encrypted files


GlobeImposter ransomware virus


Today we will talk about a virus that has become a real leader in the number of infected computers during the last week. This virus is called GlobeImposter, but it can also be known by the name .726 ransomware. This virus spreads very quickly, but its main feature is a huge number of versions. Since the August 1, there have been more than ten viruses identical to 726 in their structure. They are using other images, another ransom notes and another extensions for encrypted files but their code is exactly the same. Here is the list of extensions used, but we can not consider it complete, because several other clones could appear at the time of writing this article.


".726", “.725”, “.492”, ".515", ".707", “.626”, ".3ncrypt3d", ".2cXpCihgsVxB3", ".au1crypt", “.astra”, ".BRT92", “.blcrypt”, “blscrypt”, “.coded”, ".cryptch", ".crypt", ".GLAD", ".GORO", ".GOTHAM", ".GRAF", ".HAPP", ".PLIN", ".sea", ".help", ".RECT", ".ocean", ".rose", "This email address is being protected from spambots. You need JavaScript enabled to view it.", "p1crypt", ".MAKB", ".skunk", ".s1crypt",.nopasaran, "This email address is being protected from spambots. You need JavaScript enabled to view it.", ".VAPE", ".pscrypt", ".oni", ".pizdosik", "This email address is being protected from spambots. You need JavaScript enabled to view it.","This email address is being protected from spambots. You need JavaScript enabled to view it.", ".fix", ".virginprotection", ".WRITE_US", ".MIXI", ".troy", ".write_us_on_email", ".PRIAPOS", ".nCrypt", ".hNcrypt", ".medal", ".paycyka", ".vdul", ".keepcalm", ".legally", ".wallet", ".pizdec", ".mtk118".


It's safe to say that so far no virus has been so popular among scammers and has been copied so many times in such a short time. What is the reason for such popularity of GlobeImposter? Alas, we can only assume this, and most likely it's the correct promotion of virus on the Dark Web and the fact that it was posted on the popular online shop of malicious software. All these similar viruses are not updates from creators - these are the complete copies used by different scammers in order to earn some easy money. The virus has not changed during the last week, which means that files encrypted with any of these viruses can be decrypted using a single program.

What do we know about the 726 virus and its side versions? The virus uses traditional methods of entering the system associated with spam e-mail. The ransom amount is 1 BTC or approximately 950 dollars at the current exchange rate. Notes with redemption requirements are almost the same, and do not report any data on the structure of the virus and the encryption algorithms used. Here is an example of a standard note:


Your files are encrypted!
All your important data has been encrypted.
To recover data you need decryptor.
To get the decryptor you should:
pay for decrypt:
site for buy bitcoin:
Buy 1 BTC on one of theses site:
Bitcoin address to pay: 16G8L4oJs87e7kACZ6W4PNZLsXAkxxXsuWe
Send 1 BTC for decrypt. After the payment: Send screenshot of payment to This email address is being protected from spambots. You need JavaScript enabled to view it., This email address is being protected from spambots. You need JavaScript enabled to view it.. In the letter include your personal ID (look at the beginning of this document). After you will receive a decryptor and instructions. Attention! No Payment = No decryption. You really get the decryptor after payment. Do not attempt to remove the program or run the anti-virus tools. Attempts to self-decrypting files will result in the loss of your data. Decoders other users are not compatible with your data, because each user’s unique encryption key.


None of the GlobeImposter variants does have a website, because scammers make all transactions using e-mail, which also indicates scammers’ low level of organization, unprofessionalism and limited opportunities. Finally, the most important indicator is that new versions of the virus continued to appear even after AV-vendor EmsiSoft released a decryptor for GlobeImposter files. If you are a victim of any version of the virus - just follow this link, download the program and restore your data for free.

How to delete GlobeImposter Virus

Now that you know what GlobeImposter is and how to restore the files, there is only one question: how to remove the virus from the system? The fact is that GlobeImposter, like most other ransomware, is able to delete your data permanently if you try to remove the virus. To avoid this, you should use our instructions to remove GlobeImposter. If you have a backup of your files, or a backup of the system - do not download it until you remove the virus! The virus will still remain in the system, and will also infect the backup, making it useless. Exactly follow all the instructions in the instructions and soon you will get rid of GlobeImposter forever!


Special Offer

Download Spyhunter - Anti-malware scanner

We advise downloading SpyHunter to see, if it can detect malware for you.

Spyhunter has a biggest malware database

It protects the system against all kinds of threats: Trojans, adware and hijackers

24/7 Free Support Team

SpyHunter scanner detects threats and malware for free, but to remove infected elements you need to purchase a full version of program for 39.99$. More information about Spyhunter, EULA and Privacy policy.

Removal instruction




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Scan computer with antivirus


Step 7. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot




Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.