GlobeImposter Ransomware (.Horriblemorning variation) Removal Guide

GlobeImposter Ransomware (.Horriblemorning variation) is a malware that shows a message saying: “Your corporate network locked! All your important data has been encrypted. To restore files you will need a decryptor!” Unfortunately, the hackers behind this threat seem to want one Bitcoin, which is nearly eight thousand US dollars at the moment of writing. Needless to say that you could be scammed, which is why we recommend against paying a ransom. For users who do not know a lot about such threats, we advise reading our full article to learn how they work and, most importantly, how to avoid them. Also, in the article, we explain how to remove GlobeImposter Ransomware (.Horriblemorning variation), which is highly advisable if you do not want to leave such a dangerous threat unattended. If you are thinking about deleting it manually, you might also want to check the instructions located below the text.

Victims of malicious programs like GlobeImposter Ransomware (.Horriblemorning variation) are often tricked into opening their installers, which might be disguised as text files, pictures, or other types of data that inexperienced users would not suspect. In truth, it does not matter how a file looks like, you should still be suspicious about it if it comes from unreliable sources, such as file-sharing websites, Spam emails, or any messages from unknown senders, questionable notifications or pop-ups, and so on.

Thus, before opening files from doubtful sources, you should always scan them with a reliable antimalware tool first. Companies that want to protect their systems from such malicious applications should educate their employees so they would not fall for infected email attachments and data alike. Also, we recommend removing weaknesses like outdated software or unsecured Remote Desktop Protocol (RDP) connections. Some threats can sneak in by exploiting such vulnerabilities, so it is best to take care of them before someone finds a way to misuse them.

The first thing GlobeImposter Ransomware (.Horriblemorning variation) ought to do is create a randomly named copy of its launcher in the %LOCALAPPDATA% directory. Plus, it should create a value name in the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce to make the infected device launch the malware again. Soon after, the malicious application should start encrypting various files located on a device. Our specialists say that it might encrypt all files except program data and files belonging to the operating system. It is easy to see which files are affected because they all should receive a second extension named .Horriblemorning, e.g., text.docx.Horriblemorning.

After the encryption process is complete, GlobeImposter Ransomware (.Horriblemorning variation) should drop a file named how_to_back_files.html. If a victim opens it, the file should take him to a site containing a message from the malware’s developers. It claims that hackers have decryption tools that are necessary to decrypt the malicious applications locked data. To prove that they have them, cybercriminals offer decrypting a single picture or text file free of charge. For the decryptor itself, they ask one Bitcoin; currently, it is nearly eight thousand US dollars.

There is no way to know for sure if the hackers will hold on to their end of the bargain and that your money will not be lost in vain. Therefore, we advise not to pay if you cannot risk losing such a considerable amount of money. Also, we recommend removing GlobeImposter Ransomware (.Horriblemorning variation) to clean your computer. You can eliminate it with a reliable antimalware tool of your choice or while following the instructions located below.

Restart the device in Safe Mode with Networking

Windows 8 and Windows 10

1. Tap Win+I or navigate to the Start menu and click the Power button.
2. Tap and hold Shift and click Restart.
3. Select Troubleshoot and choose Advanced Options.
4. Pick Startup Settings and press Restart.
5. Click the F5 key and reboot the system.

Windows XP/Windows Vista/Windows 7

1. Open Start, press Shutdown options, and tap Restart.
2. Press and hold the F8 key when your computer is restarting.
3. Wait till you see the Advanced Boot Options window.
4. Choose Safe Mode with Networking.
5. Press Enter and log on to your computer.

Get rid of GlobeImposter Ransomware (.Horriblemorning variation)

1. Tap Win+E.
2. Locate the following directories:
   %TEMP%
   %USERPROFILE%\Desktop
   %USERPROFILE%\Downloads
3. Find the malicious applications installer; it might be any recently downloaded file.
4. Right-click the doubtful file and select Delete.
5. Go to this location: %LOCALAPPDATA%
6. Find a malicious executable file that should be the threat’s copy; its name could be random.
7. Right-click the suspected executable file and select Delete.
8. Leave File Explorer.
9. Tap Win+R.
10. Insert Regedit and click OK.
11. Go to this path: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
12. Locate a value name that might be called BrowserUpdateCheck or similarly.
13. Right-click it and press Delete.
14. Leave Registry Editor.
15. Empty Recycle bin.
16. Reboot the device.