How to Recover GhostCrypt Ransomware Files

How to Recover GhostCrypt Ransomware Files

Remove GhostCrypt Ransomware

GhostCrypt Ransomware Description and Removal Instructions:

Malware Category: Ransomware

GhostCrypt Ransomware is one of the latest versions of the Crypto-Ransomware viruses. GhostCrypt Ransomware targets PCs running Windows OS asking for 2 bitcoins ransom. Every file that has been encrypted will have its extension changed to: .Z81928819. Fortunately, there is a way of decrypting the files encrypted by GhostCrypt Ransomware.

The distribution of GhostCrypt Ransomware is related to installing different third-party toolbars, all kinds of free software, files from P2P networks and torrents, random clicking on ads, pop-up windows, banners, or even downloading attached files from your personal e-mail inbox or other file sharing applications, bogus flash player and fake video software for viewing online content.

When running, GhostCrypt Ransomware will start encrypting certain types of files stored on local or mounted network drives using a AES-256 bit public-key cryptography, with the private key stored only on a control server. The ransomware will encrypt the following extensions:

.asp, .aspx, .avi, .bk, .bmp, .css, .csv, .divx, .doc, .docx, .eml, .htm, .html, .index, .jpeg, .jpg, .lnk, .mdb, .mkv, .mov, .mp3, .mp4, .mpeg, .msg, .odt, .ogg .pdf, .php, .png, .ppt, .pptx, .psd, .rar, .sln, .sql, .txt, .wav, .wma, .wmv, .xls, .xlsx, .xml, .zip

GhostCrypt Ransomware will create READ_THIS_FILE.txt and put a shortcut to it in every folder where a file was encrypted. Those files contain instructions explaining how to pay the ransom. For the victims to pay the ransom, the virus asks them to send the money to the following addresses:

1. 19YWTHeSf1c4a2j1YNPTb3VCJn5ee21GRX
2. 1546jBPBRnR4NVrCZzVm7NtaH8FMQEy9mQ

GhostCrypt Ransomware will not just encrypt files and block your computer, it will also collect valuable information that will be sent to the control servers. Such software could lead to more malware coming into your computer and even cause a loss of data. Such threats are not to be underestimated!

If you are infected, we at SpywareTechs.com recommend you to download SpyHunter Malware Security Suite in order to remove the infection automatically:



Once you get rid of GhostCrypt Ransomware (see how to remove GhostCrypt Ransomware in our article), you can try to recover your files using the methods below:


How to Recover Files Encrypted by GhostCrypt Ransomware:

You can try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as GhostCrypt Ransomware may delete the shadow copies.


1. How to Restore Files Using the Shadow Copy Service:

Method 1. Using Windows Previous Version tab:

*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.

  1. Right-click on the encrypted file, select Properties from the menu.
  2. Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
  3. Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.

The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.

Method 2. Using Shadow Explorer:

Using Shadow Explorer to restore whole folders. You can download the program from the link below:


Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.


2. How to Recover Files Encrypted by GhostCrypt Ransomware using GhostCryptDecrypter:

The security experts were able to crack the GhostCrypt Ransomware and develop a decryptor tool called GhostCryptDecrypter.

GhostCrypt Ransomware Decryption Tool

1. Download GhostCryptDecrypter from the following link, save it on your desktop and then extract the archive.


2. When you start the decrypter tool, you have to select drive that you want to decrypt by clicking on “Select Directory”.

3. After that click on “Decrypt My Files” and GhostCryptDecrypter will start scanning for all files with the .Z81928819 extension and will try to decrypt them.


Nevertheless, if you want to be protected from GhostCrypt Ransomware, get SpyHunter!


John Moore

Owner of SpywareTechs.com. I specialize in malware and spyware removal. Researching new malware threats that emerge on the internet. Computers are my hobby since...well more than 10 years. I posses strong knowledge of computer internals and operating systems. However, I use my skills to join the everyday fight against malware and spyware. Follow me on Google+ to stay updated on how to remove the newest infections.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.