GlobeImposter Ransomware (.Horriblemorning variation)

What is GlobeImposter Ransomware (.Horriblemorning variation)?

You do not need to guess whether or not GlobeImposter Ransomware (.Horriblemorning variation) has invaded your operating system. All you need to do is look at your files and see if “.Horriblemorning” has been attached to their names. If this extension is added, the malicious ransomware has encrypted your personal files, and you need to take immediate action. Sadly, files cannot be restored by removing the threat, but there are solutions that might help you with that. For one, the GlobeImposter Decryptor created by malware experts might assist in some cases. Alternatively, some victims might be able to replace the corrupted files using copies stored online, on external drives, or other secure locations. Of course, before any replacements can be made, it is necessary to delete GlobeImposter Ransomware (.Horriblemorning variation). Whether you identify it as GlobeImposter Ransomware or Horriblemorning Ransomware, you need to figure out a way to get rid of this malware ASAP.

How does GlobeImposter Ransomware (.Horriblemorning variation) work?

There are multiple different versions of GlobeImposter Ransomware, and Horriblemorning Ransomware is only the latest one to join the party. Just like other clones, you are likely to face this version of the infamous threat by interacting with malicious downloaders and spam emails. It is also possible that other infections could drop this threat. Therefore, once you remove GlobeImposter Ransomware (.Horriblemorning variation) from your operating system, you must not forget to inspect your system for other potentially active threats too. As for the threat itself, it looks like the original launcher file – which could be dropped anywhere – is not the only component. Anti-Spyware-101.com researchers inform that a malicious .exe file in the %LOCALAPPDATA% directory must be deleted too. The infection also creates a registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce. Of course, the most important file is called “how_to_back_files.html,” and it is what we know as a ransom note. Whether there is only one copy of this file or multiple copies, you want to erase them all.

The .html file is meant to convince the victims of GlobeImposter Ransomware (.Horriblemorning variation) that they need to pay a ransom of 1 Bitcoin to retrieve a decryptor. If you are not familiar with Bitcoins, you might not realize that 1 BTC converts to nearly $8,000 (based on conversion rates at the time of research). Victims are instructed to pay the ransom in this cryptocurrency to the attacker’s Bitcoin wallet, whose address is 129wbWjopiECw1n7XgHWK7n6nmEPd7K8m6. It is possible that some victims have made the payment already because eight unique transactions have been recorded. After the payment, victims are supposed to send a screenshot of it to cryptomavens@protonmail.com or cryptomavens@eclipso.eu as proof. It goes without saying that we do not recommend paying the ransom because, first of all, there are no guarantees that a decryptor exists or that it would be sent to you. Furthermore, a free decryptor already exists, and if that option does not work, you might be able to replace corrupted files with backups. We hope that you do not need to risk your savings and that you can get back to your normal life soon.

How to delete GlobeImposter Ransomware (.Horriblemorning variation)

You need to secure your operating system against all infections, and even though you now need to remove GlobeImposter Ransomware (.Horriblemorning variation), there are plenty of other threats that could slither in and cause you a headache if you do not secure your system appropriately. Our researchers advise employing an anti-malware program that has been proven to be reliable. This program would simultaneously delete infections and protect the Windows operating system, which is exceptionally helpful, considering that removing GlobeImposter Ransomware (.Horriblemorning variation) manually is not that easy. We can show you how to delete most components, but it is essential for you to eliminate the launcher, and where this file is on your computer depends on how the infection slithered in and how you interacted with it initially. After you get rid of the infection, we hope you will be able to restore your files using a free decryptor, or you will have the chance to replace the encrypted files using backups.

Removal Instructions

1. Delete the ransom note file called how_to_back_files.html (could have copies).
2. Locate and Delete the launcher of the infection (unknown location/name).
3. Launch Explorer (tap Win+E keys) and enter %LOCALAPPDATA% into the field at the top.
4. Locate a malicious .exe file with a random name and Delete it.
5. Launch Run (tap Win+R keys) and enter regedit into the dialog to launch Registry Editor.
6. Go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
7. Locate a value named BrowserUpdateCheck and Delete it.
8. Empty Recycle Bin and then quickly install a legitimate, up-to-date malware scanner.
9. Run a full system scan to check for leftovers that might require attention. Download Removal Tool100% FREE spyware scan and
   tested removal of GlobeImposter Ransomware (.Horriblemorning variation)*