Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.Encrypted GX40 Virus – How to Remove

Article created to help remove the GX40 ransomware infection and restore files that have been AES encrypted with the .encrypted file extension appended.

A ransomware virus known as GX40 has been reported by malware researchers to encrypt files on the computers infected by it and then append the .encrypted file extension to them. After encryption, the files can no longer be opened and seem to be corrupt. The infection has also been reported to drop a ransom note with instructions on how to pay a hefty ransom fee to get the files back. Anyone who has been infected by the GX40 ransomware is advised to read the following article thoroughly.

Threat Summary

Name

GX40

Type Ransomware
Short Description The malware encrypts users files using the AES encryption cipher, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and “instructions” screen named GX40 – NOTICE, linking to a web page and a decryptor. Changed file names and the file-extension .encrypted has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by GX40

Download

Malware Removal Tool

User Experience Join our forum to Discuss GX40.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.encrypted GX40 Virus – How Does It Infect

The infection process of GX40 ransomware is similar to any other ransomware virus out there. The virus may initially be distributed with the help of e-mail spam messages with malicious archives and attachments embedded within them. Once those attachments are embedded, they are accompanied by a deceitful messages that trick the user into opening them. They may pretend to be:

  • An invoice for a purchase the user is tricked to have made.
  • A document from a bank, claiming there is suspicious activity.
  • Fake PayPal, FedEx or other documents.

Once the malicious file within the archive is opened, the infection is immediate and the virus uses a loader to drop it’s payload.

Other methods of infection by GX40 ransomware is if the virus takes advantage of fake installers, fake Windows updates and any other file that may seem legitimate. It may even be encountered on torrent websites as a fake game patch or game crack that is usually used to license an unlicensed versions of programs or games.

The .encrypted GX40 Ransomware – Infection Activity

Once the loader of this virus has already dropped it’s malicious files on the victim computer, they are likely situated in the following folders:

  • %AppData%
  • %LocalLow%
  • %Roaming%
  • %Local%
  • %Windows%

Two of the malicious executables belonging to GX40 ransomware infection are recognized to be the following:

GX40 – PayPal Validator.exe
GX40.exe

After being activated, the malicious files of the virus may contain a malicious code within them that might modify the shadow volume copies of the infected computer, so that they are deleted without the user noticing. This is achievable by executing the following commands, primarily the vssadmin line:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to this activity, the GX40 ransomware infection may also tamper with the Windows registry editor of the victim PC, making the malicious executable that encrypts files run when the Windows system boots:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

GX40 Ransomware – Encryption Process

The process of encrypting files by this virus is done with the assistance of the Rijndael encryption algorithm also known as AES. The cipher encrypts files in blocks which are 129 bits in size and the strength of it’s encryption may be 128, 192 or 256-bit(strongest) encryption. The encryption algorithm is also used by the U.S. government and it generates a symmetric key after encrypting files. This key is the same for all the locked files and it may be sent to the cyber-criminals’ command and control servers.

Among the files which the GX40 virus targets for encryption are the following types of important files:

  • Microsoft Office documents.
  • OpenOffice files.
  • PDF documents.
  • Text files.
  • Image files.
  • Audio files.
  • Videos.
  • Archived files and different types of archives.

After the encryption process is complete, the files become no longer able to be opened and are appended the .encrypted file extension. They may appear as shown on the image below:

After the encryption, the virus makes sure the user knows of it’s presence by dropping a screen note(see images at the start above) asking to pay an 80$ ransom. It has the following messages within it:

Main Screen:
YOUR FILE HAS ENCRYPTED GX40
All of your important files has been encrypted by Ransomware
OPEN NOTICE
GX40 Ransomware
Contact me to make payment and make sure to attach yor identifier
GX40@YAHOO.COM
IDENTIFIER: {unique A-Z 0-9 digits
‘COPY’
‘RESTORE’

GX40-NOTICE:
NOTICE
by : GX40
All Your Personal Files Are Encrypted
All your data (photos, documents, and other files) have been encrypted with a private and unique key generated fot this computer. It means that yout will not be able to access your files anymore until they’re decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.
The payment has to be done in Bitcoint to a unique address that we generated for you. Bitcoins are a virtual currency to make online payments. IF you don’t know to get Bitcoins, you can google “HOW TO BUY BITCINS” and follow the instructions.
YOU ONLY HAVE 2 DAYS TO SUBMIT THE PAYMENT! When the provided time ends, the payment will increase to $80. Also, if you dont pay in 7 days, your unique key wil be destroyed and you wont be able to recover your files anymore.
To recover your files and unlock your computer, you mush send 0.07214 BTC or 80 USD, to the next Bitcoin address : 12EN79yZyZpEvfnQPHUqyhEtrWU4W3UrDn
WARNING!
DO NOT TRY GET RID OF THIS PROGRAM YOURSELF. ANY ACTION TAKEN WILL RESULT IN DECRYPTION KEY BEING DESTROYED. YOU WILL LOSE YOUR FILES FOREVER. ONLY WAY TO KEEP YOUR FILES IS TO FOLLOW THE INSTRUCTIONS.

DX40 Virus – How to Remove it and Restore .encrypted Files

Before beginning the removal process of the DX40 infection, recommendations are to focus on backing up all the files of importance, no matter if they are encrypted or usable.

Then, since the DX40 virus may interfere with multiple Windows processes and keep active connection to hosts such as the reported https host www.academyx40.com, it is important to isolate the threat before removing it. One way to do it is by following the manual removal instructions below and after isolating the malware, you can go ahead and proceed with reverting the settings modified by the virus and remove the files yourself. However, if manual removal is not what you are going for, recommendations are to focus on performing the removal process automatically. The best way to do this according to experts is by downloading an advanced anti-malware tool, which will perform the removal processes and protect your computer from future infections, like DX40 ransomware.

After having removed the DX40 ransomware, it is time to focus on the encrypted files. For the moment there is no decryptor available for this particular ransomware threat. However, it is also good to know that there are alternative methods that you can try in step “2. Restore files encrypted by DX40 below”. They may not be 100 percent effective by they may also help recover some of your important files, at least until malware researchers find a free decryption solution, which if happens, we will post a link in this article.

Manually delete GX40 from your computer

Note! Substantial notification about the GX40 threat: Manual removal of GX40 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove GX40 files and objects
2.Find malicious files created by GX40 on your PC

Automatically remove GX40 by downloading an advanced anti-malware program

1. Remove GX40 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by GX40
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.