.decryptgarranty Files Virus – How to Remove GarrantyDecrypt Virus

.decryptgarranty Files Virus – How to Remove GarrantyDecrypt Virus

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove GarrantyDecrypt Virus. Follow the ransomware removal instructions provided at the end of the article.

GarrantyDecrypt Virus is one that encrypts your data and demands money as a ransom to get it restored. Files will receive the .decryptgarranty extension. The GarrantyDecrypt Virus will leave ransomware instructions as a desktop wallpaper image. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

NameGarrantyDecrypt Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files by placing the .decryptgarranty before the affected files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by GarrantyDecrypt Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GarrantyDecrypt Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GarrantyDecrypt Virus – Distribution Techniques

The GarrantyDecrypt virus has been identified in a limited attack campaign which means that it is probably a test release. This means that not all of the popular tactics are used and that the attack campaigns are limited in both scope and resources. We anticipate that if it is updated or run with other settings it might affect a much larger number of people.

One of the most popular tactics is to use email-based phishing messages that are sent in a bulk manner. The criminals will use common strategies such as preparing security announcements, patch update notifications or software promotions. By interacting with them the victims will infect themselves with the GarrantyDecrypt virus. The dangerous files can be directly attached or linked in the body contents via text links or graphics elements.

The phishing tactics can also be transferred over to fake web sites that copy vendor sites or download portals. By using similar sounding domain names and contents (designed like the real counterparts) computer users might be coerced into downloading and installing the applications.

The so-called infected payloads are a popular method for spreading malware threats like this one. There are two main types:

  • Malicious Setup Files — They are made by taking the legitimate application installers of popular applications used by end users. They are downloaded from the official download sources and modified with the virus code.
  • Macro-Infected Documents — A similar strategy is used with all popular file formats: presentations, rich text documents, databases and spreadsheets. When they are opened the relevant notification prompt will be spawned asking the users to enable the rich content. If this is done the built-in commands will download and run the ransomware.

These payloads and all virus code can also be uploaded to file-sharing networks like BitTorrent. Such places are used to spread both legitimate and pirate content.

Large-scale attack campaigns can be orchestrated by using browser hijackers. They are dangerous browser extensions made for the most popular web browsers for the purpose of installing the malicious code. They are uploaded to their relevant repositories often with fake user reviews and an elaborate description promising improvements to the application.

GarrantyDecrypt Virus – Detailed Analysis

The GarrantyDecrypt virus is a malware that is still in an early testing or development phase as it contains only the ransomware component at this time. An in-depth analysis is still not available. The known information about it origins so far suggest that it is not based on a well-known malware family which suggests that it might be created by the same individual or group behind its distribution.

We anticipate that if the initial attack is successful updates to its features list will be made. Some of the possible additions might be the following:

  • Data Retrieval — The GarrantyDecrypt virus can extract valuable information from the compromised machines. Such examples include information about the installed hardware components or strings that can reveal the user’s identity. The engine can automatically search for such strings such as the person’s name, address, phone number and even stored online accounts information.
  • Persistent Information — The ransomware can install itself in a persistent state. This means that it will be difficult for the victims to remove it unless an automatic anti-spyware solution is used. This is due to the fact that it will modify system configuration files and boot options in order to start automatically whenever the computer is powered on.
  • Windows Registry Changes — The virus engine may also modify strings belonging both to the system and individual user-installed applications. These changes can make cause severe performance issues and the inability to run certain functions or launch programs.
  • System Data Removal — The main engine can make it more difficult for the victims to restore their systems. Common tactics include the identification and deletion of System Restore Points, Backups and even Shadow Volume Copies. In these cases the victims will have to use a combination of data restore and anti-spyware solutions. Refer to our instructions below.
  • Additional Payload Delivery — Active infections with this ransomware can lead to the deployment of other threats. A dangerous example is the delivery of Trojans that have the ability to spy on the users, take over control of their machines and hijack data before the encryption component begins.

Malware strains like this one are usually released in small batches against a limited number of targets. This is done in order to test how effective the base ransomware engine is. If this trial run proves effective additional modules can be added to the virus.

GarrantyDecrypt Virus – Encryption Process

When all prior actions that are programmed have completed the ransomware engine will run. It will follow the classic infection pattern of using a built-in list of target extensions. An example one can include the following data:

  • Archives
  • Backups
  • Databases
  • Images
  • Videos
  • Music

The victim files will be encrypted with the .decryptgarranty extension. The captured strains use a ransomware note in order to blackmail the victims, the file is called #RECOVERY_FILES#.txt which reads the following:

All your files has been ENCRYPTED
Do you really want to restore your files?
Write to our email – decryptgarranty@airmail.cc
and tell us your unique ID

Remove GarrantyDecrypt Virus and Try to Restore Data

If your computer system got infected with the .decryptgarranty ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share