globeimposter

GlobeImposter is a ransomware family that first appeared in mid-2017, designed to mimic the appearance and naming conventions of the earlier Globe ransomware but built on entirely different code. It uses strong encryption algorithms, typically AES combined with RSA, and appends a variety of file extensions to encrypted data—such as .crypt, .doc, .png, .jpg, .spreadsheet, and many more—depending on the campaign. GlobeImposter is primarily distributed via malicious spam campaigns with infected attachments, compromised RDP services, and exploit kits. It drops a ransom note (often named how_to_back_files.html or similar) instructing victims to contact the attackers via email. Over the years, GlobeImposter has spawned hundreds of variants, making it one of the more persistent commodity ransomware threats targeting small businesses and individuals globally.