How to remove Globe virus (Ransomware)

Globe virus

What is Globe virus?

Globe virus is ransomware that encrypts the files on your computer using Blowfish encryption, adds .purge to the file extensions, and leaves a ransom note on your computer in a HTA or HTML format demanding that you pay a ransom to recover your files. The ransomware is designed around the movie franchise The Purge and will use images associated with the movie franchise and the .purge file extension to isolate encrypted files.

globe virus

Globe ransomware will leave a ransom note named How to restore files.hta  in every folder it encrypts files in as well as Windows Desktop. The note files contain a ransom note that explains what happened to the affected files and how to pay a ransom via Bitcoins in order to acquire a key to decode the compromised files. The note may suggest that users email powerbase@tutanota.com to acquire a decryption key.

Ransom note

This wallpaper will state "You files are encrypted. Pay for decryption please" and then contains the powerbase@tutanota.com email address.

Once a computer becomes infected with Globe ransomware it will encrypt files, change the file names, delete the Shadow Volume Copies so that files cannot easily be recovered, and disable Windows Startup Repair. It will also dump files in every folder it encrypts files in that contain a ransom note. The note can additionally be used as a lock screen that restricts access to the infected computer.

Commands to disable Windows Startup Repair

vssadmin.exe Delete Shadows /All /Quiet 
bcdedit.exe /set {default} recoveryenabled No 
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Files

How to restore files.hta
%UserProfile%\AppData\Local\msiscan.exe
%UserProfile%\How to decrypt your files.jpg

Registry entries

HKCU\Software\Globe
HKCU\Software\Globe\ "idle"
HKCU\Software\Globe\ "debug"
HKCU\Control Panel\Desktop\ "Wallpaper" "%UserProfile%\How to decrypt your files.jpg"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "How to restore files" = "mshta.exe "%UserProfile%\How to restore files.hta""

Not much is known how this malware will be distributed. However, ransomware like the Globe virus is usually dispersed by malicious email attachments. The email content employs social engineering in order to trick unsuspecting victims into downloading a file under the guise that it is something it is not. Once the file is manually executed by the user ransomware will begin to advance on the computer system and carry through it’s various functions.

It is not recommended to pay ransomware authors to decrypt your files. Instead you can use programs like Shadow Explorer, PhotoRec, or Recuva to restore corrupted files.

Aliases: Globe virus, Globe ransomware, Purge virus

How to remove Globe virus

1. Download and Install Recuva by Pirform.

download recuva

2. Run the program and start the Recuva Wizard.

3. Select All Files and click Next.

4. Select a file location. Click I’m not sure to search everywhere on your computer.

5. Click Start.

6. Select All Files with your mouse and click the Recover button. If you cannot restore your files with Recuva we recommend to try using Shadow Explorer to restore your files.

7. Download and Install Malwarebytes Anti-Malware software to detect and remove malicious files from your computer.

download malwarebytes

buy now button

8. Open Malwarebytes and click the Scan Now button – or go to the Scan tab and click the Start Scan button.

9. Once the Malwarebytes scan is complete click the Remove Selected button.

10. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

11. Download and Install HitmanPro by Surfright to perform a second-opinion scan.

download hitmanpro

12. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

13. Once the HitmanPro scan is complete click the Next button.

14. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

15. Click the Reboot button.

16. Download and Install CCleaner by Piriform to cleanup junk files, repair your registry, and manage settings that may have been changed.

download ccleaner

buy now button

17. Open CCleaner and go to the main Cleaner screen. Click the Analyze button. When the process is complete, click the Run Cleaner button on the bottom right of the program interface.

18. Go to Tools > Startup and search for suspicious entries in each tab starting from Windows all the way to Content Menu. If you find anything suspicious click it and click the Delete button to remove it.

19. Go to the Registry window and click the Scan for Issues button. When the scan is complete click the Fix selected issues… button and click Fix All Selected Issues.

How to stay protected against future infections

The key to staying protected against future infections is to follow common online guidelines and take advantage of reputable Antivirus and Anti-Malware security software with real-time protection.

Real-time security software

Security software like Malwarebytes and Norton Security have real-time features that can block malicious files before they spread across your computer. These programs bundled together can establish a wall between your computer and cyber criminals.

download norton security
Common Online Guidelines

  • Backup your computer and personal files to an external drive or online backup service
  • Create a restore point on your computer in case you need to restore your computer to a date before infection
  • Avoid downloading and installing apps, browser extensions, and programs you are not familiar with
  • Avoid downloading and installing apps, browser extensions, and programs from websites you are not familiar with – some websites use their own download manager to bundle additional programs with the initial download
  • If you plan to download and install freeware, open source software, or shareware make sure to be alert when you install the object and read all the instructions presented by the download manager
  • Avoid torrents and P2P clients
  • Do not open email messages from senders you do not know
Helpful Links

Sean Doyle

Sean is a distinguished tech author and entrepreneur with over 20 years of extensive experience in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. His expertise and contributions to the industry have been recognized in numerous esteemed publications. Sean is widely acclaimed for his sharp intellect and innovative insights, solidifying his reputation as a leading figure in the tech community. His work not only advances the field but also helps businesses and individuals navigate the complexities of the digital world.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.