GusLocker (ALL YOUR FILES LOCKED!) Virus - como removê-lo

GusLocker (ALL YOUR FILES LOCKED!) Virus - como removê-lo

Este artigo foi criado para explicar what is GusLocker ransomware virus e how you can try and remove it from your computer, plus how to attempt and restore files, criptografada por ela.

Um novo vírus ransomware, known as GusLocker has been detected by cyber-security researchers. The virus aims to lock the files on the victim’s computer and then leave them no longer able to be opened, at least until the victim pays ransom to get them back. The virus also leaves an intimidating ransom note, chamado “ALL YOUR FILES LOCKED!” which asks victims to pay ransom to retrieve their files. Se o seu computador foi afetado pela GusLocker ransomware, we recommend that you read this article as it aims to help you remove GusLocker from your computer and aims to show you ways via which you can try and recover files, encoded by this ransomware infection on your PC.

Resumo ameaça

Tiporansomware, Cryptovirus
Pequena descriçãoHolds your files hostage until you pay ransom in BitCoin.
Os sintomasThe files on the victim’s computer become heavily encrypted and can not be opened until a ransom is paid. Ransom instructions are also dropped.
distribuição MétodoOs e-mails de spam, Anexos de e-mail, arquivos executáveis
Ferramenta de detecção See If Your System Has Been Affected by GusLocker


Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss GusLocker.
Ferramenta de recuperação de dadosWindows Data Recovery por Stellar Phoenix Aviso prévio! Este produto verifica seus setores de unidade para recuperar arquivos perdidos e não pode recuperar 100% dos arquivos criptografados, mas apenas alguns deles, dependendo da situação e se você tem ou não reformatado a unidade.

GusLocker – How Does It Infect

To infect computers, GusLocker may spread an infection file, which is responsible for directly infecting the victim PC. These files may be spread either via spammed e-mail messages or via malicious sites. Se propagação por e-mail, the files may pose as legitimate e-mail attachments, dos gostos de:

  • Faturas.
  • Receipts for purchases.
  • Banking statements and documents.
  • Account retrieval forms.

The cyber-criminals may also become very cunning and imitate someone from the victim’s friend list in the emails. In most cases the malspam e-mails tend to imitate large companies, como o PayPal, eBay and several other big ones.

Além desta, GusLocker may also be spread via other forms as well, such as being posted online and pretend to be some sort of a patch or a crackfix for a game or a program.

GusLocker – Atividade

The main activity of GusLocker invloves dropping it’s malicious files after infection. The primary malicious file of the virus can be identified with the following hash:

→ 5B58CCBB150683D0608C236F242ABC90

When an infection happens, GusLocker drops it’s malicious files in the following folder:

→ C:\Users\TheJustGus\source\repos\GUScryptolocker

Uma vez lá, the virus may perform series of malicious activitie son the victims’ computers, tal como:

  • criando mutexes.
  • Interfering with Windows system files.
  • Interfering with the Windows Command Prompt.
  • Interfering with the Windows Registry Editor.
  • Interfering with the Task Scheduler.

If the GusLocker ransomware virus interacts with the Windows Registry Editor, the ransomware virus may create several registry entries in the following Windows sub-keys to get it’s malicious “GusLocker” file to run automatically:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

Depois de ter feito isso, GusLocker ransomware may delete the shadow volume copies of the infected machine by running a script, like the one below as an administrator in Windows Command Prompt:

→ VVS sc stop
wscsvc parada sc
parada WinDefend sc
wuauserv parar sc
BITS sc stop
sc stop ERSvc
sc stop WerSvc
cmd / C bcdedit / conjunto {padrão} recoveryenabled Não
cmd / C bcdedit / conjunto {padrão} ignoreallfailures bootstatuspolicy
C:\Windows System32 cmd.exe”/ C Vssadmin.exe Apagar Sombras / All / Quiet

Having done this, GusLocker also aims to inform victims of it’s presence on their computers by showing it’s ransom note. Ele aparece como o seguinte:

Texto de imagem:

YOUR PID:{custom id}
Envia-nos um email
Write your ID at title of mail and country at body of mail and wait answer.
You have to pay some bitcoins to unlock your files!
If you try to unlock your files. you may lose access to them!
No one can guarantee you a 100% unlock except us!
How to buy bitcoin

GusLocker Encryption Process

Tão longe, it is known that GusLocker aims to hunt for the files on the infected computer that are most often used, without encrypting important system files, pertencente ao Windows. Para alcançá-lo do objetivo final, GusLocker may download and run a file encryption procedure which scans for the files based on their file extensions, por exemplo:

→ “PNG PSD .PSPIMAGE .TGA THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .indd .PCT .PDF .xlr .XLS .XLSX .ACCDB .DB DBF MDB .PDB .SQL .apk Ficheiros .APP .BAT .CGI .COM .EXE .gadget .JAR .pif .wsf .dem .GAM NES .ROM .SAV CAD DWG DXF GIS .GPX .KML .kmz .ASP .ASPX .CER .CFM .csr .CSS .HTM .HTML .JS .jsp .PHP .rss .xhtml. DOC .DOCX .LOG .MSG .ODT .páginas .RTF .tex .TXT .WPD .WPS .CSV .DAT .ged .KEY .KEYCHAIN ​​.pps .PPT .PPTX ..INI .PRF arquivos codificados .HQX .mim .UUE .7z .cbr .DEB .GZ .PKG .RAR .RPM .SITX .tar.gz .ZIP .zipx .BIN CUE .DMG .ISO .MDF .toast .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Áudio Ficheiros .aif .IFF .M3U .M4A .MID .MP3 O AMF .WAV .WMA Vídeo .3g2 .3GP .ASF .AVI FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3dm .3DS .MAX .OBJ R.BMP .dds .GIF .JPG ..CRX .plugin .FNT .FON .OTF .TTF CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .icns .ICO LNK .SYS .CFG”

Depois que os arquivos são criptografados, GusLocker may set either a fixed or a random file extension to the encrypted fils. Então, the ransomware virus may either self delete or remain to monitor your computer’s activity.

Remove GusLocker and Try Restoring Encrypted Files

Before begginng the removal process of GusLocker ransomware, we recommend that you backup your files, apenas no caso de. Então, you should follow the removal instructions that are underneath this article. They have been created in manual and automatic approach so that if one fails, you should try the other. Be advised that according to cyber-security experts, the best way of dealing with malware, like GusLocker is to downlaod and scan your computer, usando um programa anti-malware avançado. Such program aims to remove all files and folders, related to GusLocker on your PC and remove all settings changed by it.

Se você quiser tentar e restaurar arquivos, infected by GusLocker, be advised that direct encryption is so far not available. Contudo, we are following the situation on GusLocker and will update this article as soon as there is a free decryptor available. In the meantime you can see step “4. Tente restaurar arquivos, encrypted by GusLocker” abaixo. It contains alternative file recovery methods that may not be 100% effective to restore your files but may at least help you recover some of the encoded data.


Ventsislav Krastev

Ventsislav tem vindo a cobrir o mais recente de malware, desenvolvimentos de software e mais recente tecnologia em SensorsTechForum para 3 anos. Ele começou como um administrador de rede. Formado marketing bem, Ventsislav também tem paixão pela descoberta de novas mudanças e inovações em cibersegurança que se tornam mudanças do jogo. Depois de estudar Gestão da Cadeia de Valor e, em seguida, Administração de Rede, ele encontrou sua paixão dentro cybersecrurity e é um crente forte na educação básica de cada usuário para a segurança on-line.

mais Posts - Local na rede Internet

Me siga:

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Compartilhar no Twitter chilrear
Compartilhar no Google Plus Compartilhar
Partilhar no Linkedin Compartilhar
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Partilhar no StumbleUpon Compartilhar