GottaCry Ransomware Removal Guide

Do you know what GottaCry Ransomware is?

GottaCry Ransomware is a threat that tries to scare its victims by displaying a black warning with a picture of two red eyes. The note on the window might say that all files were encrypted and moved to the hacker’s behind the threat server. However, the sample we tested did not encrypt or move any data. Nonetheless, our computer security specialists say the malicious application has a capability to erase files and folders located on the infected device. Meaning, it is possible the malware could be still in development stage and once it is finished, it might become more dangerous. To learn more about the infection, we encourage you to read the rest of this report. Also, should you need any help while deleting GottaCry Ransomware, keep in mind there is a removal guide available below that could be of use to you.

Since there is a possibility GottaCry Ransomware could be still in development, we are not sure whether it is even being distributed yet. In case it is, we believe the malware might be traveling with Spam emails, unreliable installers, suspicious notifications, etc. As you see most ransomware victims infect their computer unknowingly after opening some malicious file received or downloaded from untrustworthy sources. This is why we highly recommend against interacting with any files if you are not completely sure they can be trusted. Always remember that even files that look like images or text documents could appear to be malicious installers, which is why it is best to scan all data coming from questionable sources with a reputable antimalware tool.

The sample our specialists tested opened a window called GottaCry | Windows encryptor right after its launch. This warning might say the files were encrypted at first and then claim they were moved to a remove server and lastly deleted. Of course, to restore them, the note asks to pay a ransom with Bitcoins or via PayPal. As said earlier, in reality, GottaCry Ransomware that we tested did not encrypt or delete any data. The research shows it should be able to delete files and folders located on the infected device, but it does not look like it was programmed to encrypt anything. Moreover, the ransom note may also threaten to leak user’s passwords if he restarts the computer. It is doubtful GottaCry Ransomware could do so as our researchers did not see it copying any passwords from anywhere, even if it claims so. Such a threat is probably displayed just to scare the victim so he would not turn off the system and, as a result, close the malware.GottaCry Ransomware Removal GuideGottaCry Ransomware screenshot
Scroll down for full removal instructions

Even if the malware gets updated and starts deleting user’s files, we would not recommend paying the ransom, as there are no guarantees GottaCry Ransomware could restore them as promised. It seems to us the safest choice in such a situation is to remove the malware and restore files from backup, which is why you should always back up your data regularly.

To get rid of GottaCry Ransomware manually you could follow the removal guide located below. The malicious application could be eliminated with a reputable antimalware tool too. All you have to do is perform a full system scan with it and then press the given deletion button.

Erase GottaCry Ransomware

  1. Restart the computer to kill the malware’s process.
  2. Press Windows Key+E.
  3. Navigate to these paths:
    %USERPROFILE%\Desktop
    %USERPROFILE%\Downloads
    %TEMP%
  4. Find the malware’s launcher (suspicious recently downloaded file), right-click it and select Delete.
  5. Close File Explorer.
  6. Empty Recycle Bin.

In non-techie terms:

GottaCry Ransomware is most likely an unfinished malicious application. We believe this to be true because of what we learned from a sample we encountered. It has capabilities of erasing users files, but does not do so. Nor does it encrypt user’s files as its ransom note claims. Besides, it looks like no matter what you enter into its password box, the malicious application shows the same message saying “Wrong password.” If you come across the same version of this threat and your files are not damaged, we recommend erasing the malware with no hesitation. Even if the malicious application gets updated and starts encrypting users files, we would not recommend putting up with any demands as there are no guarantees the hackers will keep up to their promises. To erase the threat manually, you could follow the removal guide available above. If the process looks too complicated, we advise employing a trustworthy antimalware tool instead.