How to Recover GhostCrypt Ransomware Files
GhostCrypt Ransomware Description and Removal Instructions:
Malware Category: Ransomware
GhostCrypt Ransomware is one of the latest versions of the Crypto-Ransomware viruses. GhostCrypt Ransomware targets PCs running Windows OS asking for 2 bitcoins ransom. Every file that has been encrypted will have its extension changed to: .Z81928819. Fortunately, there is a way of decrypting the files encrypted by GhostCrypt Ransomware.
The distribution of GhostCrypt Ransomware is related to installing different third-party toolbars, all kinds of free software, files from P2P networks and torrents, random clicking on ads, pop-up windows, banners, or even downloading attached files from your personal e-mail inbox or other file sharing applications, bogus flash player and fake video software for viewing online content.
When running, GhostCrypt Ransomware will start encrypting certain types of files stored on local or mounted network drives using a AES-256 bit public-key cryptography, with the private key stored only on a control server. The ransomware will encrypt the following extensions:
.asp, .aspx, .avi, .bk, .bmp, .css, .csv, .divx, .doc, .docx, .eml, .htm, .html, .index, .jpeg, .jpg, .lnk, .mdb, .mkv, .mov, .mp3, .mp4, .mpeg, .msg, .odt, .ogg .pdf, .php, .png, .ppt, .pptx, .psd, .rar, .sln, .sql, .txt, .wav, .wma, .wmv, .xls, .xlsx, .xml, .zip
GhostCrypt Ransomware will create READ_THIS_FILE.txt and put a shortcut to it in every folder where a file was encrypted. Those files contain instructions explaining how to pay the ransom. For the victims to pay the ransom, the virus asks them to send the money to the following addresses:
GhostCrypt Ransomware will not just encrypt files and block your computer, it will also collect valuable information that will be sent to the control servers. Such software could lead to more malware coming into your computer and even cause a loss of data. Such threats are not to be underestimated!
If you are infected, we at SpywareTechs.com recommend you to download SpyHunter Malware Security Suite in order to remove the infection automatically:
Once you get rid of GhostCrypt Ransomware (see how to remove GhostCrypt Ransomware in our article), you can try to recover your files using the methods below:
How to Recover Files Encrypted by GhostCrypt Ransomware:
You can try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as GhostCrypt Ransomware may delete the shadow copies.
1. How to Restore Files Using the Shadow Copy Service:
Method 1. Using Windows Previous Version tab:
*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.
- Right-click on the encrypted file, select Properties from the menu.
- Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
- Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.
The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.
Method 2. Using Shadow Explorer:
Using Shadow Explorer to restore whole folders. You can download the program from the link below:
Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.
2. How to Recover Files Encrypted by GhostCrypt Ransomware using GhostCryptDecrypter:
The security experts were able to crack the GhostCrypt Ransomware and develop a decryptor tool called GhostCryptDecrypter.
1. Download GhostCryptDecrypter from the following link, save it on your desktop and then extract the archive.
2. When you start the decrypter tool, you have to select drive that you want to decrypt by clicking on “Select Directory”.
3. After that click on “Decrypt My Files” and GhostCryptDecrypter will start scanning for all files with the .Z81928819 extension and will try to decrypt them.
Nevertheless, if you want to be protected from GhostCrypt Ransomware, get SpyHunter!