GhostCrypt Ransomware Removal Guide

Do you know what GhostCrypt Ransomware is?

Apparently, GhostCrypt Ransomware pretends to be another Trojan infection known as CryptoLocker. However, this is a different malicious program, and it could be one of the Hidden Tear variants. Hidden Tear was an educational ransomware created for demonstration, but actual cyber criminals obtained the code and used it for the creation of their own malware. Our researchers think that GhostCrypt Ransomware might have been created using the exact code. In many ways, it looks like any other similar infection that encrypts user’s data, but we noticed something unusual as well. The malware does not generate unique user ID or explain how it will decrypt your files. It could be that there is no decryption key, so we advise you not to risk your money and remove the malicious program with the instructions below the text. What’s more, there might be a way to recover your files, so keep reading the article and learn all you can about the ransomware.

Generally, GhostCrypt Ransomware encrypts files that have the following extensions: .asp, .aspx, .avi, .bk, .bmp, .css, .csv, .divx, .doc, .docx, .eml, .htm, .html, .index, .jpeg, .jpg, .lnk, .mdb, .mkv, .mov, .mp3, .mp4, etc. It is hard not to notice the affected data because this infection adds one of the two different extensions to the locked files, e.g. photo.jpg.Z81928819 or music.mp3.CWall4. Also, after the encryption process is over, you should see a document named as "READ_THIS_FILE.txt" on your Desktop.GhostCrypt Ransomware Removal GuideGhostCrypt Ransomware screenshot
Scroll down for full removal instructions

As you open the text document, you will find instructions from the GhostCrypt Ransomware originators. The text will say that “Files have been encrypted by CryptoLocker,” but as we mentioned earlier, this is only an attempt to disguise it as another infection. Then the note says that you can recover your files, but you have to pay a ransom of 2 Bitcoins. If you convert this sum into US dollars, you will get around $911. The given three steps will tell you how to transfer the money, but we would advise you against paying the ransom. To decrypt your files, the malware should have created a unique ID to recognize your computer. Also, it should provide information how to contact the GhostCrypt Ransomware creators. In many cases, other similar infections even offer to decrypt a couple of files to prove to you that it is possible, but this program does not do that. Additionally, the instructions mention a decryption key, but they do not say how you will receive it.

The decision is yours to make, but given the details we have just explained to you, paying the ransom is rather risky. In the end, you might lose not only your files but also about 900 dollars and that is quite an amount. There could be a way to unlock your files, but we cannot guarantee that it will work. Our researchers found that someone created a working decryptor. This decryptor should be available for anyone on the Internet. Therefore, in the worst case scenario, e.g. if you do not have any copies of your data at all, you can try the decryptor.

If you decide not to pay the ransom, you should get rid of GhostCrypt Ransomware. The good news is that the malware does not install itself. The bad news is that it is launched with a malicious file that could be spread through Spam email or fake software installers. Try to remember the file you opened before your data was locked and its exact location. Sadly, we cannot give you more specific instructions, because the malicious file should have a random name. Usually, users save their files on Desktop or Downloads directory, so check these locations first.

As for the future, you should install a legitimate antimalware tool and create a backup of your personal data. If you keep your security tool updated, it should be able to warn you about malicious files, websites or any other content related to malware.

Remove GhostCrypt Ransomware

  1. Open the Windows Explorer.
  2. Check the locations where you might have downloaded the malicious file, e.g. Desktop, the Downloads or temporary files directories, etc.
  3. Right-click the malicious executable file and select Delete.
  4. Erase the READ_THIS_FILE.txt file from your Desktop.
  5. Empty Recycle bin.

In non-techie terms:

GhostCrypt Ransomware is a malicious program that locks your files and demands you to pay the ransom if you want to get the decryption key. However, it looks like it could be a lie, so you should not risk making the payment or you might regret losing your savings. Thus, we advise you to consider other possibilities for data recovery. Plus, it would be better to remove the malicious executable file, which launched the ransomware. You can either do it manually with the instructions above, or you could try using an antimalware tool.