Remove Gomasom Ransomware and Restore .crypt Files - How to, Technology and PC Security Forum |

Remove Gomasom Ransomware and Restore .crypt Files

Unfortunately, ransomware has become one of the most prevalent and damaging cyber threats. New variants of popular ransomware pieces emerge all the time, as well as brand new cases. Gomasom ransomware has been just detected in the wild. Gomasom has been first documented by Fabian Wosar from Emsisoft. The name itself comes from Google Mail Ransom, because Gmail email addresses are used in the encrypted file names.

Short DescriptionEncrypts data files and executables.
SymptomsFiles are encrypted and renamed.
Distribution MethodNot known yet.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Gomasom
User ExperienceJoin our forum to follow the discussion about Gomasom.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

In comparison with other ransomware cases, Gomasom is a newcomer on the malware horizon, being active for the past few weeks.

Gomasom gets its name from GOogle MAil ranSOM and typically operates by infecting users and then encrypting their files, dropping Gmail address in the file’s name, and appending a .crypt file extension.

If you were infected by Gomasom and have questions about it, do share them with us.

A topic dedicated to Gomasom has been started in our forum: How to Restore [filename]!__.crypt Files

Gomasom Ransomware Technical Description

Researchers have reported that Gomasom is quite destructive, because it encrypts both user data files as well as executable files. When this ‘double’ encryption is done, most of the victim’s applications will not work. Once the ransomware is inside the computer, it will change the names of the files to [filename].jpg!__[symbols]@gmail.com_.crypt. In order to receive payment instructions, the victim is supposed to send an email to the address in the file name.

Gomasom Ransomware Distirbution

The exact distribution method of this particular ransomware is not yet known. However, most ransomware pieces are spread via:

  • Suspicious links redirecting to pages hosting exploit kits;
  • Spam email campaigns and malicious attachments;

The Trojan horse that is most likely spreading Gomasom also hasn’t been identified.

Gomasom Ransomware Encryption and Decryption

As already mentioned, the ransomware encrypts both data and executable files, making the victim’s programs unfunctional. Once it is installed on the system, Gomasom will create a malware executable with a random name, place it in C:\Users\User\AppData\Local\Microsoft Help\ and create an autorun so that it starts every time the Windows starts.

When the system is started, Gomasom will scan all drive letters for data and executable files to encrypt. Upon encryption, files will be renamed to [filename]!__.crypt.

Interestingly enough, Gomasom doesn’t leave a ransomware note.

The good news is that there is a solution to Gomasom encryption and it has been developed by Emsisoft. All you need to do is download the decrypt_gomasom.exe from


How to use decrypt_gomasom.exe?

To discover the needed decryption key, the user should drag an encrypted file and unencrypted version of the same file and drop them on the decrypt_gomasom.exe icon. More instructions on how to use the decryptor for Gomasoft are available on Bleeping Computer.

In order to remove all leftovers of Gomasom ransomware, refer to our removal instructions below.

1. Boot Your PC In Safe Mode to isolate and remove Gomasom
2. Remove Gomasom with SpyHunter Anti-Malware Tool
3. Remove Gomasom with Malwarebytes Anti-Malware.
4. Remove Gomasom with STOPZilla AntiMalware
5. Back up your data to secure it against infections and file encryptions by Gomasom in the future
NOTE! Substantial notification about the Gomasom threat: Manual removal of Gomasom requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share