![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Yes, it is most likely a new variant of GlobeImposter which often uses the how_to_back_files.html ransom note among others.
The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment and the malware file responsible for the infection.
Without the above information or if this is something new (or there is no extension or filemarker in encrypted files), our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic.
Unfortunately, there is no known method to decrypt files encrypted by all the latest versions of GlobeImposter 2.0 without paying the ransom (unless the TOR site is abandoned) since there is no way to retrieve the malware developer's private key that can be used to decrypt your files. Without the master private RSA key that can be used to decrypt your files, decryption is impossible. If feasible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus and untrustworthy removal/decryption guides.
When dealing with ransomware, there is no way to know for sure if the cyber-criminals actually steal any of the data or sensitive file information for further criminal activity but I am not aware of any such cases. Rather than the content of your data, they are more interested in obtaining a ransom payment for financial gain. These criminals are in business to make money and make it fast, then move on to the next victim. Although some criminals may threaten to release (expose) information if victims do not pay, uploading someone's data for such nefarious purposes takes too much time and could leave a trail for law enforcement authorities to follow.
Crypto malware will scan and encrypt just about any type of data file it finds but some target more than others. Some types of ransomware (i.e. DMA Locker, Gomasom, CryptoFortress, UmbreCrypt) utilize a white list of folders and extensions that they will not encrypt. By using a white list, the malware will encrypt almost all non-system and non-executable related files that it finds. Targeting critical system files and executables which could render a system unbootable serves no purpose. Since the malware developers are in business to make money, they need their victims to pay the ransom in order to decrypt valuable data files. ..that typically means the criminals want the computer to be functional without giving the victim access to their data until after the ransom payment has been received.
The problem with this type of infection is that most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was downloaded and installed along with the ransomware. If other malware was involved it may be the reason for your booting issues.