A virus-encoder has been detected by malware researchers to pretend to be CryptoLocker Ransomware and encrypt the user files with .Z81928819 alpha numerical file extension. The ransomware is named Ghost Crypt by malware researchers who also report that it creates a READ_THIS_FILE.txt ransom note which notifies the users that their files have been encrypted. Users who have become victims of this infections are advised to immediately remove it and decrypt their files using the tools provided in the instructions of this article.
|Short Description||The ransomware encrypts files with the RSA cipher and asks a ransom for decryption.|
|Symptoms||Files are encrypted and become inaccessible. A ransom note with instructions for paying the ransom shows as a READ_THIS_FILE.txt file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by GhostCrypt |
Malware Removal Tool
|User Experience||Join our forum to Discuss GhostCrypt Crypto Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
GhostCrypt Ransomware – Distribution
- Malicious web links posted as spam on forums and other places online.
- Malicious URLs posted in e-mail messages that are fake and resemble a service the user is likely to click on.
- Malicious e-mail attachments that may represent documents which the user is convinced to open.
- Malicious executable files that may be uploaded as fake setups on shady websites or even crack fixes for games posted on torrent websites.
GhostCrypt Ransomware In Detail
Once the malicious executable of GhostCrypt invades your computer, it may perform several activities that are characteristic for most ransomware viruses:
Create files with different names in the following Windows file folders:
Modify different registry entries in the following registry subkey:
Execute the following command to delete shadow volume copies:
After these are done, GhostCrypt may begin to encrypt user files, appending the .Z81928819 file extension. Researchers at Bleeping Computer report that the virus scans for the following files to encode:
→ .asp, .aspx, .avi, .bk, .bmp, .css, .csv, .divx, .doc, .docx, .eml, .htm, .html, .index, .jpeg, .jpg, .lnk, .mdb, .mkv, .mov, .mp3, .mp4, .mpeg, .msg, .odt, .ogg .pdf, .php, .png, .ppt, .pptx, .psd, .rar, .sln, .sql, .txt, .wav, .wma, .wmv, .xls, .xlsx, .xml, .zip
After encryption, the ransomware lays the following ransom message In an READ_THIS_FILE.txt document:
GhostCrypt Ransomware – Conclusion, Removal and Decryption
The bottom line is that most likely this is another variant of the so – called Hidden Tear project – an open source project on which most variants are based. Researchers believe that this is the case and users are strongly advised not to pay the ransom.
If you want to remove GhostCrypt ransomware and completely restore your data, be advised that you are very lucky, because a decryptor has been created. Just make sure to follow the removal and decryption instructions posted after this article and you should be able to decrypt .Z81928819 encrypted files. For decryption instructions, it is recommended to check the step named, “Decrypt Files, Encrypted by GhostCrypt.”