.Encrypted GX40 Virus – How to Remove - How to, Technology and PC Security Forum | SensorsTechForum.com

.Encrypted GX40 Virus – How to Remove

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

Article created to help remove the GX40 ransomware infection and restore files that have been AES encrypted with the .encrypted file extension appended.

A ransomware virus known as GX40 has been reported by malware researchers to encrypt files on the computers infected by it and then append the .encrypted file extension to them. After encryption, the files can no longer be opened and seem to be corrupt. The infection has also been reported to drop a ransom note with instructions on how to pay a hefty ransom fee to get the files back. Anyone who has been infected by the GX40 ransomware is advised to read the following article thoroughly.

Threat Summary



Short DescriptionThe malware encrypts users files using the AES encryption cipher, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” screen named GX40 – NOTICE, linking to a web page and a decryptor. Changed file names and the file-extension .encrypted has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by GX40


Malware Removal Tool

User ExperienceJoin our forum to Discuss GX40.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.encrypted GX40 Virus – How Does It Infect

The infection process of GX40 ransomware is similar to any other ransomware virus out there. The virus may initially be distributed with the help of e-mail spam messages with malicious archives and attachments embedded within them. Once those attachments are embedded, they are accompanied by a deceitful messages that trick the user into opening them. They may pretend to be:

  • An invoice for a purchase the user is tricked to have made.
  • A document from a bank, claiming there is suspicious activity.
  • Fake PayPal, FedEx or other documents.

Once the malicious file within the archive is opened, the infection is immediate and the virus uses a loader to drop it’s payload.

Other methods of infection by GX40 ransomware is if the virus takes advantage of fake installers, fake Windows updates and any other file that may seem legitimate. It may even be encountered on torrent websites as a fake game patch or game crack that is usually used to license an unlicensed versions of programs or games.

The .encrypted GX40 Ransomware – Infection Activity

Once the loader of this virus has already dropped it’s malicious files on the victim computer, they are likely situated in the following folders:

  • %AppData%
  • %LocalLow%
  • %Roaming%
  • %Local%
  • %Windows%

Two of the malicious executables belonging to GX40 ransomware infection are recognized to be the following:

GX40 – PayPal Validator.exe

After being activated, the malicious files of the virus may contain a malicious code within them that might modify the shadow volume copies of the infected computer, so that they are deleted without the user noticing. This is achievable by executing the following commands, primarily the vssadmin line:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to this activity, the GX40 ransomware infection may also tamper with the Windows registry editor of the victim PC, making the malicious executable that encrypts files run when the Windows system boots:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

GX40 Ransomware – Encryption Process

The process of encrypting files by this virus is done with the assistance of the Rijndael encryption algorithm also known as AES. The cipher encrypts files in blocks which are 129 bits in size and the strength of it’s encryption may be 128, 192 or 256-bit(strongest) encryption. The encryption algorithm is also used by the U.S. government and it generates a symmetric key after encrypting files. This key is the same for all the locked files and it may be sent to the cyber-criminals’ command and control servers.

Among the files which the GX40 virus targets for encryption are the following types of important files:

  • Microsoft Office documents.
  • OpenOffice files.
  • PDF documents.
  • Text files.
  • Image files.
  • Audio files.
  • Videos.
  • Archived files and different types of archives.

After the encryption process is complete, the files become no longer able to be opened and are appended the .encrypted file extension. They may appear as shown on the image below:

After the encryption, the virus makes sure the user knows of it’s presence by dropping a screen note(see images at the start above) asking to pay an 80$ ransom. It has the following messages within it:

Main Screen:
All of your important files has been encrypted by Ransomware
GX40 Ransomware
Contact me to make payment and make sure to attach yor identifier
[email protected]
IDENTIFIER: {unique A-Z 0-9 digits

by : GX40
All Your Personal Files Are Encrypted
All your data (photos, documents, and other files) have been encrypted with a private and unique key generated fot this computer. It means that yout will not be able to access your files anymore until they’re decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.
The payment has to be done in Bitcoint to a unique address that we generated for you. Bitcoins are a virtual currency to make online payments. IF you don’t know to get Bitcoins, you can google “HOW TO BUY BITCINS” and follow the instructions.
YOU ONLY HAVE 2 DAYS TO SUBMIT THE PAYMENT! When the provided time ends, the payment will increase to $80. Also, if you dont pay in 7 days, your unique key wil be destroyed and you wont be able to recover your files anymore.
To recover your files and unlock your computer, you mush send 0.07214 BTC or 80 USD, to the next Bitcoin address : 12EN79yZyZpEvfnQPHUqyhEtrWU4W3UrDn

DX40 Virus – How to Remove it and Restore .encrypted Files

Before beginning the removal process of the DX40 infection, recommendations are to focus on backing up all the files of importance, no matter if they are encrypted or usable.

Then, since the DX40 virus may interfere with multiple Windows processes and keep active connection to hosts such as the reported https host www.academyx40.com, it is important to isolate the threat before removing it. One way to do it is by following the manual removal instructions below and after isolating the malware, you can go ahead and proceed with reverting the settings modified by the virus and remove the files yourself. However, if manual removal is not what you are going for, recommendations are to focus on performing the removal process automatically. The best way to do this according to experts is by downloading an advanced anti-malware tool, which will perform the removal processes and protect your computer from future infections, like DX40 ransomware.

After having removed the DX40 ransomware, it is time to focus on the encrypted files. For the moment there is no decryptor available for this particular ransomware threat. However, it is also good to know that there are alternative methods that you can try in step “2. Restore files encrypted by DX40 below”. They may not be 100 percent effective by they may also help recover some of your important files, at least until malware researchers find a free decryption solution, which if happens, we will post a link in this article.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share