Ghost Ransomware Removal Guide

Do you know what Ghost Ransomware is?

Ghost Ransomware is a persistent malicious application as once it infects the system, it might keep checking for new files to encipher, as long as it is running. Unfortunately, our computer security specialists say the malware can auto-start with the operating system, so even if you restart the computer, the threat could start running again. Therefore, we recommend against creating any new data on the infected device for as long as the malicious application remains on the system. If you want to get rid of Ghost Ransomware, you could follow the removal guide available at the end of this article, or you could employ a reputable antimalware tool of your choice. However, no matter how you decide to erase the malware, we highly recommend reading the rest of the article so you would learn more about the ransomware application and things you can do to avoid such threats in the future.

Our researchers say there are three most likely scenarios of how Ghost Ransomware could enter the system. The first one is via Spam emails. Always remember that the attachment carrying a malicious threat may not even look harmful, for example, it could seem like a simple text document or an image. Thus, it is best to be cautious with all files received from unknown sources and scan them with a reputable antimalware tool first. The second scenario is downloading the threat from torrent and other untrustworthy file-sharing websites. Sites distributing pirated software and unknown freeware might contain various infections, so if you want to keep your system safe, we recommend downloading programs from legitimate sites instead. Then it is also essential to keep the system protected, for example, use strong passwords, as threats like Ghost Ransomware can enter it while exploiting its vulnerabilities like unsecured RDP connections.Ghost Ransomware Removal GuideGhost Ransomware screenshot
Scroll down for full removal instructions

Upon the malware’s installer launch the threat should try to settle in by creating its copies in the %APPDATA% and %HOMEDRIVE% directories. Also, the malicious application ought to create Registry entries in the HKCU\SYSTEM\ControlSet001\services and HKCU\SYSTEM\CurrentControlSet\services directories. Right after this, the threat is supposed to start encrypting user’s files, for example, pictures, documents, videos, archives, etc. You can easily separate affected files by looking at their titles. Data that was enciphered should have a second extension called .Ghost, for example, picture.jpg.Ghost. The next, Ghost Ransomware’s step is to display a ransom note. It should be shown on a red pop-up window called Ghost. It demands the victim to pay for decryption tools and asks to contact the hackers after transferring the money to receive them. Needless to say, there is not knowing if the cybercriminals will deliver such tools as promised, which is why we recommend against paying the ransom.

As we mentioned earlier, the malicious application can continue to cause you trouble as long as it stays on the computer. Thus, we believe it would be best to erase it if you want to keep using the infected device. To eliminate Ghost Ransomware manually, you should complete the steps listed in the removal guide placed below. However, if the steps seem complicated, you could employ a reputable antimalware tool instead and let it take care of the threat for you.

Eliminate Ghost Ransomware

  1. Press Ctrl+Alt+Delete.
  2. Choose Task Manager and check the Processes tab.
  3. Locate a process called GhostService.exe or similarly.
  4. Choose the malicious process and click End Task.
  5. Exit Task Manager.
  6. Click Windows Key+E.
  7. Navigate to the suggested paths:
    %TEMP%
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
  8. Identify a file launched when the system got infected, right-click the malicious file and select Delete.
  9. Navigate to: %HOMEDRIVE%
  10. Locate the following files:
    GhostForm.exe
    GhostHammer.dll
    GhostFile.dll
  11. Right-click them and select Delete.
  12. Go to this location %APPDATA%
  13. Find a folder titled Ghost, it should contain these files: Ghost.bat, GhostHammer.dll, GhostService.exe.config, GhostService.pdb, and GhostService.vshost.exe.
  14. Right-click the described folder and choose Delete.
  15. Exit File Explorer.
  16. Press Windows Key+R, type Regedit and choose OK.
  17. Navigate to these paths:
    HKCU\SYSTEM\ControlSet001\services\GhostService
    HKCU\SYSTEM\CurrentControlSet\services\GhostService
  18. Look for value names called GhostService, right-click them and press Delete.
  19. Close the Registry Editor.
  20. Empty Recycle bin.
  21. Restart the computer.

In non-techie terms:

Ghost Ransomware is a tool for money extortion. It encrypts the user’s files on the infected device and then looks for new data to encipher as long as it continues to run. According to the ransom note, it displays after the encryption process, the malware’s developers wish to receive a payment in Bitcoins in exchange for their decryption tools. Even though these people apologize for the “inconvenience,” we doubt they care about what happens to the victim’s files; otherwise, they would probably do something else to make a living. It is entirely possible they may not hold on to their end of the bargain and so we do not think it would be wise to pay the ransom. To learn how to eliminate the malware manually, you could follow the removal guide available above, and if you prefer using automatic features, you could employ a reputable antimalware tool instead.