GlobeImposter Ransomware (.Horriblemorning variation) is a malware that shows a message saying: “Your corporate network locked! All your important data has been encrypted. To restore files you will need a decryptor!” Unfortunately, the hackers behind this threat seem to want one Bitcoin, which is nearly eight thousand US dollars at the moment of writing. Needless to say that you could be scammed, which is why we recommend against paying a ransom. For users who do not know a lot about such threats, we advise reading our full article to learn how they work and, most importantly, how to avoid them. Also, in the article, we explain how to remove GlobeImposter Ransomware (.Horriblemorning variation), which is highly advisable if you do not want to leave such a dangerous threat unattended. If you are thinking about deleting it manually, you might also want to check the instructions located below the text.
Victims of malicious programs like GlobeImposter Ransomware (.Horriblemorning variation) are often tricked into opening their installers, which might be disguised as text files, pictures, or other types of data that inexperienced users would not suspect. In truth, it does not matter how a file looks like, you should still be suspicious about it if it comes from unreliable sources, such as file-sharing websites, Spam emails, or any messages from unknown senders, questionable notifications or pop-ups, and so on.
Thus, before opening files from doubtful sources, you should always scan them with a reliable antimalware tool first. Companies that want to protect their systems from such malicious applications should educate their employees so they would not fall for infected email attachments and data alike. Also, we recommend removing weaknesses like outdated software or unsecured Remote Desktop Protocol (RDP) connections. Some threats can sneak in by exploiting such vulnerabilities, so it is best to take care of them before someone finds a way to misuse them.
The first thing GlobeImposter Ransomware (.Horriblemorning variation) ought to do is create a randomly named copy of its launcher in the %LOCALAPPDATA% directory. Plus, it should create a value name in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce to make the infected device launch the malware again. Soon after, the malicious application should start encrypting various files located on a device. Our specialists say that it might encrypt all files except program data and files belonging to the operating system. It is easy to see which files are affected because they all should receive a second extension named .Horriblemorning, e.g., text.docx.Horriblemorning.
After the encryption process is complete, GlobeImposter Ransomware (.Horriblemorning variation) should drop a file named how_to_back_files.html. If a victim opens it, the file should take him to a site containing a message from the malware’s developers. It claims that hackers have decryption tools that are necessary to decrypt the malicious applications locked data. To prove that they have them, cybercriminals offer decrypting a single picture or text file free of charge. For the decryptor itself, they ask one Bitcoin; currently, it is nearly eight thousand US dollars.
There is no way to know for sure if the hackers will hold on to their end of the bargain and that your money will not be lost in vain. Therefore, we advise not to pay if you cannot risk losing such a considerable amount of money. Also, we recommend removing GlobeImposter Ransomware (.Horriblemorning variation) to clean your computer. You can eliminate it with a reliable antimalware tool of your choice or while following the instructions located below.
Windows 8 and Windows 10
Windows XP/Windows Vista/Windows 7