GusLocker (ALL YOUR FILES LOCKED!) Virus – How to Remove It

GusLocker (ALL YOUR FILES LOCKED!) Virus – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created to explain what is GusLocker ransomware virus and how you can try and remove it from your computer, plus how to attempt and restore files, encrypted by it.

A new ransomware virus, known as GusLocker has been detected by cyber-security researchers. The virus aims to lock the files on the victim’s computer and then leave them no longer able to be opened, at least until the victim pays ransom to get them back. The virus also leaves an intimidating ransom note, called “ALL YOUR FILES LOCKED!” which asks victims to pay ransom to retrieve their files. If your computer has been affected by the GusLocker ransomware, we recommend that you read this article as it aims to help you remove GusLocker from your computer and aims to show you ways via which you can try and recover files, encoded by this ransomware infection on your PC.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionHolds your files hostage until you pay ransom in BitCoin.
SymptomsThe files on the victim’s computer become heavily encrypted and can not be opened until a ransom is paid. Ransom instructions are also dropped.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by GusLocker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GusLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GusLocker – How Does It Infect

To infect computers, GusLocker may spread an infection file, which is responsible for directly infecting the victim PC. These files may be spread either via spammed e-mail messages or via malicious sites. If spread by e-mail, the files may pose as legitimate e-mail attachments, from the likes of:

  • Invoices.
  • Receipts for purchases.
  • Banking statements and documents.
  • Account retrieval forms.

The cyber-criminals may also become very cunning and imitate someone from the victim’s friend list in the emails. In most cases the malspam e-mails tend to imitate large companies, like PayPal, eBay and several other big ones.

In addition to this, GusLocker may also be spread via other forms as well, such as being posted online and pretend to be some sort of a patch or a crackfix for a game or a program.

GusLocker – Activity

The main activity of GusLocker invloves dropping it’s malicious files after infection. The primary malicious file of the virus can be identified with the following hash:

→ 5B58CCBB150683D0608C236F242ABC90

When an infection happens, GusLocker drops it’s malicious files in the following folder:

→ C:\Users\TheJustGus\source\repos\GUScryptolocker

Once there, the virus may perform series of malicious activitie son the victims’ computers, such as:

  • Creating mutexes.
  • Interfering with Windows system files.
  • Interfering with the Windows Command Prompt.
  • Interfering with the Windows Registry Editor.
  • Interfering with the Task Scheduler.

If the GusLocker ransomware virus interacts with the Windows Registry Editor, the ransomware virus may create several registry entries in the following Windows sub-keys to get it’s malicious “GusLocker” file to run automatically:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

Once having done this, GusLocker ransomware may delete the shadow volume copies of the infected machine by running a script, like the one below as an administrator in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Having done this, GusLocker also aims to inform victims of it’s presence on their computers by showing it’s ransom note. It appears like the following:

Text from image:

YOUR PID:{custom id}
YOUR PERSONAL EMAIL: [email protected]
Email us
Write your ID at title of mail and country at body of mail and wait answer.
You have to pay some bitcoins to unlock your files!
If you try to unlock your files. you may lose access to them!
No one can guarantee you a 100% unlock except us!
How to buy bitcoin

GusLocker Encryption Process

So far, it is known that GusLocker aims to hunt for the files on the infected computer that are most often used, without encrypting important system files, belonging to Windows. To reach it’s end goal, GusLocker may download and run a file encryption procedure which scans for the files based on their file extensions, for instance:


After the files are encrypted, GusLocker may set either a fixed or a random file extension to the encrypted fils. Then, the ransomware virus may either self delete or remain to monitor your computer’s activity.

Remove GusLocker and Try Restoring Encrypted Files

Before begginng the removal process of GusLocker ransomware, we recommend that you backup your files, just in case. Then, you should follow the removal instructions that are underneath this article. They have been created in manual and automatic approach so that if one fails, you should try the other. Be advised that according to cyber-security experts, the best way of dealing with malware, like GusLocker is to downlaod and scan your computer, using an advanced anti-malware program. Such program aims to remove all files and folders, related to GusLocker on your PC and remove all settings changed by it.

If you want to try and restore files, infected by GusLocker, be advised that direct encryption is so far not available. However, we are following the situation on GusLocker and will update this article as soon as there is a free decryptor available. In the meantime you can see step “4. Try to restore files, encrypted by GusLocker” below. It contains alternative file recovery methods that may not be 100% effective to restore your files but may at least help you recover some of the encoded data.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share