Remove GarryWeber Virus and Restore .id-[ID] Files

Remove GarryWeber Virus and Restore .id-[ID] Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you remove GarryWeber virus in full. Follow the ransomware removal instructions provided at the bottom of this article.

GarryWeber is a ransomware cryptovirus. Your files will become encrypted and receive the extension .id-[ID] when the encryption process completes. Then, the GarryWeber ransomware displays a ransom note with payment instructions. Read further to see what ways you could try to potentially recover some of your data.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and shows a ransom note afterward.
SymptomsThe ransomware will encrypt your files and put the .id-[ID] extension on each of them when the encryption process is done.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by GarryWeber


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GarryWeber.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GarryWeber Virus – Delivery Methods

The GarryWeber ransomware can be delivered by using various methods. The file which drops the payload for the ransomware containing the malicious script can be delivered through a few different sources. You can see an example of such a file, examined by the VirusTotal service.

The GarryWeber virus could deliver the dropper of the payload on file-sharing services or social media networks, too. Freeware applications might be promoted as useful, but at the same time might be hiding the downloader for the payload. Don’t be opening files right after you have downloaded them, especially if an unknown source has delivered them. You should scan such files with a security tool first and afterward, check for anything that seems out of the ordinary. You can read the ransomware prevention tips topic in our forum.

GarryWeber Virus – In Depth

The ransomware cryptovirus that is discussed, was dubbed GarryWeber because of the extension, which leaves for encrypted files. The extension is .id-[ID] and will be appended to every encrypted file, right after its original name, while leaving the original extension intact.

Moreover, the GarryWeber ransomware could make entries in the Windows Registry to achieve persistence. Those registry entries are designed in a way to launch the virus automatically with every start of the Windows operating system and repress notifications with errors.

According to some malware researchers, the GarryWeber ransomware is thought to be of Brazilian origin. One proof of that could be the brief ransom message, which appears after the encryption process, and is written in a mixture of Portuguese and English. You can preview the message from the below screenshot:

The message states the following:

Todos os seus arquivos estão criptografados!
All your files are encrypted!
Abra o arquivo “HOW_OPEN_FILES” no seu desktop para mais informações.

Open icon from desctop: “HOW_OPEN_FILES” for more information.

The above ransom message points to the ransom note that is apparently inside the file named ”HOW_OPEN_FILES.html”. The ransom note states all demands of the cybercriminals, including the price, along with everything else. The note is also written in a mixture of the Portuguese and English languages and its copying the note of Globe Ransomware virus. You can check out the ransom note in the snapshot provided below:

The criminals that stand behind the GarryWeber ransomware virus are trying to imitate Globe ransomware and is uncertain if their virus has flaws in its code. You should NOT under any circumstances pay these crooks. Nobody could guarantee if your files will get recovered or not. Furthermore, you should not ever give money to criminals, as this will probably just support them financially and give them enough motivation to create other ransomware viruses or do more criminal acts.

GarryWeber ransomware searches to encrypt the following file extensions:

→.bmp, .docx, .jpg, .mp3, .pdf, .png

A full list of file extensions which can get encrypted is not yet known, but the article will be duly updated if such a list appears. Every file that gets encrypted will have one and the same extension appended to each of them, which is .id-[ID] The extension doesn’t affect the file names, neither their original extensions and is placed as a second extension.

The GarryWeber cryptovirus is highly likely to delete the Shadow Volume Copies from the Windows Operating System by executing the following command in the Command Prompt:

→vssadmin.exe delete shadows /all /Quiet

The virus could execute other commands in the Command Prompt, as well. Read below and check out what kind of ways you can try to potentially restore some of your files.

Remove GarryWeber Virus and Restore .id-[ID] Files

If your computer got infected with the GarryWeber ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share