[mrpeterson@cock.li].GFS Files (GEFEST Ransomware) - How to Remove

[mrpeterson@cock.li].GFS Files (GEFEST Ransomware) – How to Remove

This article is made to explain to you what is the [mrpeterson@cock.li].GFS files ransomware virus and how you can remove this variant of Gefest ransomware from your computer and how you can try and restore .GFS encrypted files.

A ransomware virus, using the .GFS extension was recently detected to cause a heap of trouble for users. The malware may or may not be a version, deriving from the

Scarab Gefest family of viruses. This is a virus that enters your computer silently and then performs number of malicious activities that result in you no longer being able to open your files because they are encrypted. The encrypted files have overwritten data in them, preventing them from being used and we are talking about the most commonly used file types on the infected computer. After encryption, a ransom note is dropped, called “HOW TO RECOVER ENCRYPTED FILES.txt” and it has instructions for victims how they can pay ransom to buy off the access to their files again – something which is NOT recommended. If your computer has been infected by the [mrpeterson@cock.li].GFS files ransomware, read this article to learn how to remove this ransomware safely and how to try other methods to restore your files, that do not involve paying criminal hackers.

Threat Summary

Name[mrpeterson@cock.li].GFS GEFEST Virus
TypeRansomware, Cryptovirus
Short DescriptionPossibly a variant of Gefest Ransomware. Encrypts files and asks victims of infected computers to pay ransom in cryptocurrecnies to get the files to be decoded and work again.
SymptomsInfects the computer and then adds the [mrpeterson@cock.li].GFS file extension. The ransomware also adds the “HOW TO RECOVER ENCRYPTED FILES.txt” ransom note, containing the extortionist message.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by [mrpeterson@cock.li].GFS GEFEST Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss [mrpeterson@cock.li].GFS GEFEST Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[mrpeterson@cock.li].GFS Files Ransomware – How Did I Get It

The most likely method via which your computer may have caught the [mrpeterson@cock.li].GFS Files Virus could be if you opened a malicious e-mail attachment. Usually e-mails account for over 80% of ransomware infection and the GEFEST virus being of this type, it may be spread via this method. What the crooks do is they send you an e-mail, containing the infection file off GEFEST ransomware and this file could be pretending to be:

  • An invoice.
  • Purchase receipt.
  • Report for a revoked plane ticket or an online purchase.
  • Document from a bank, concerning a loan or something similar.
  • Document stating you broke the law.

Another likely scenario via which viruses, like GEFEST ransomware could be spread is for the crooks to upload the infection file on multiple third-party sites and wait for the victim to download the virus and open it. Usually these sites are low-reputation websites or compromised WordPress sites, where the malware may reside, pretending to be:

  • A software setup.
  • Portable program./span>
  • Activator for a license.
  • Crack.
  • Key generator.

[mrpeterson@cock.li].GFS Files Ransomware – Activity

Once your computer becomes a victims with [mrpeterson@cock.li].GFS file ransomware, the virus’s files may be dropped in the following directories:

  • %AppData%
  • %Roaming%
  • %Temp%
  • %Local%
  • %LocalLow%

The [mrpeterson@cock.li].GFS ransomware may also drop its ransom note file on the infected computers. It has the following contents:

“HOW TO RECOVER ENCRYPTED FILES.txt” ransom note’s content:


Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.

There is only one way to get your files back: contact with us, pay, and get decryptor software.

We accept Bitcoin, and other cryptocurrencies, you can find exchangers on bestbitcoinexchange.io

You have unique idkey , write it in letter when contact with us.

Also you can decrypt 1 file for test, its guarantee what we can decrypt your files.


Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Contact information:

primary email: mrpeterson@cock.li

reserve email: debora2019@airmail.cc

Your unique idkey:

Besides te ransom note, victims can also miss out multiple hidden activiites that may be done by the [mrpeterson@cock.li].GFS virus, such as:

  • Execute commands in Windows Command Prompt.
  • Obtain your location and IP address.
  • Perform privilege escalation.
  • Obtain administrator permissions.
  • Create mutexes.

Furthermore, the GEFEST Ransomware virus may also tamper with the Run an RunOnce registry sub-keys, where value strings with data may be created in order to run the virus file each time you start Windows. The sub-keys have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The [mrpeterson@cock.li].GFS may also delete the shadow copies on the computers that have been infected by it by executing the following commands as an administrator on victimized machines:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

[mrpeterson@cock.li].GFS Ransomware – Encryption

The files that could become encrypted as a result of an infection with [mrpeterson@cock.li].GFS ransomware could end up to be from the following file types:


After GEFEST ransomware encrypts those files, the virus may generate a uniuqe RSA decryption key for each file, which makes decrption much more difficult than normal. The ransomware may then leave the files looking like the following:

Remove GEFEST Ransomware and Try Restoring .GFS Files

If you want to get rid of the Gefest ransomware virus, we strongly advise you to do a backup of your files first, even though they cannot be opened. This is done to make sure that your files do not get permanently damaged during the removal process. The safest process is to create a system image of Windows, instructions for which can be found on the following URL. This avoids damage to your files by CBC(cipher block chaining) and other mechanisms ransomware viruses, like GEFEST may use to permanently damage your files if you tamper with them or try to change their extension.

To remove GEFEST Ransomware, you are welcome to try the manual removal steps underneath this article. Their main idea is to help you manually find and delete the files of GEFEST ransomware from your computer. If manual removal does not work or you want a fast and effective solution, then we recommend that you follow the automatic removal steps under step 1 and 2 below. They include scanning your computer with an advanced anti-malware software, the main idea of which is to scan your computer easily and detect and remove any virus files, belonging to GEFEST ransomware automatically from it. Installing such software also minimises the risk of your computer becoming a ransomware victim in the future too.

If you want to try and recover your files, you can see the “Try to restore” step underneath. It contains a lot of file recovery methods that can assist you in getting at least some of your data back. Be advised that the methods may not be 100% effective, but they are a good temporary solution, at least until researchers release a working decryption tool, which will be added in this article as an update when released. Keep following this post for further updates on the situation.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:


  1. Avatarmarcos

    estou com esta encriptação em meus arquivos… so q nao sabia ainda do que se tratava formatei meu pc… e agora nao tem nenhuma chave de decriptação…. e perdi as artes da gráfica q trabalho… o.O

  2. AvatarSZA



Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share