GTF Ransomware

Posted by Sarah Stewart on April 3, 2020

What is GTF Ransomware?

GTF Ransomware is named like that because this infection adds “.id-*.[grandtheftfiles@aol.com].GTF” as an additional extension to all of the files it encrypts. The extension also includes a unique code (in the place of *) and an email address, which you are introduced to via a ransom note as well. Unfortunately, you are most likely to find this monstrous extension attached to your most valued personal files, including photos, videos, and documents. The infection is supposed to encrypt all personal files throughout your operating system, and if you have a lot of files, you might face extensive damage. Of course, if you care about your personal files, you might already have backup copies stored someplace safe outside the infected computer. If that is the case, you can replace the corrupted files, but only after you remove GTF Ransomware from your operating system. If you are not sure if you can delete this malicious infection, please continue reading, and you will learn a trick or two.testtest

How does GTF Ransomware work?

According to the experts in our Anti-Spyware-101.com internal lab, GTF Ransomware has hundreds of clones, some of which include Rxx Ransomware, 8800 Ransomware, Devil Ransomware, Dever Ransomware, or Bitx Ransomware. All of these infections were built using the Crysis/Dharma Ransomware code, and that is why they are all identical. Spam emails and misleading downloaders are most likely to be used for their distribution, and so you have to be careful about opening strange messages and the files or links appended to them, as well as downloading unfamiliar programs/files from unfamiliar sources. Once GTF Ransomware is executed, it drops its own components and also encrypts your personal files. This happens very fast, and if there is no security software to stop the execution and delete the infection, you are unlikely to realize what has happened until it is too late. Once files are fully encrypted, the threat launches a window named “grandtheftfiles@aol.com,” for which a file named “Info.hta” is responsible. This window introduces a message, according to which victims of the threat need to email the attackers at grandtheftfiles@aol.com or grandtheftfiles@cock.li to get information about a ransom payment.

GTF Ransomware is identified as “ransomware” because its main goal is to push victims into paying in return for a tool that, allegedly could restore all files. The exact sum of the ransom is not disclosed, and so if you are desperate, you might decide to email the attackers thinking that more harm cannot be done. In reality, if you disclose your own email account, which the attackers might not have confirmed at that point, they could continue terrorizing you regardless of what you do about the ransom requested in return for a GTF Ransomware decryptor. By the way, a file named “FILES ENCRYPTED.txt” is also dropped by the infection, and it also instructs to send an email to the same addresses. At the end of the day, the number-one reason we do not recommend contacting the attackers is that we do not recommend paying the ransom. Whether big or small, the payment does not guarantee a decryptor. Does a free third-party decryptor exist? You can look into Dharma and Crysis decryptors, but they do not guarantee full decryption.

How to remove GTF Ransomware

We are sure that you want to delete GTF Ransomware from your Windows operating system as soon as possible. Hopefully, this is not the end of the road, and you can swiftly replace the corrupted files with copies stored in a secure location (e.g., on a virtual cloud) afterward. The removal of the infection can be quite challenging because some components – including the launcher file – have random names, and so if you are not able to identify them, you might be unable to eliminate the infection manually. Luckily, you do not need to remove GTF Ransomware on your own. Install a trusted anti-malware program, and it will erase the infection for you automatically. More than that, it will secure your operating system once it is clean to keep it malware-free from there on out. So, which path are you going to take? If you still need advice or more information, do not hesitate to contact us via the comments section.

Removal Guide

  1. Delete the launcher of the infection. If you cannot identify it, try deleting recently downloaded files.
  2. Simultaneously tap Win+E keys on the keyboard to launch the File Explorer window.
  3. Enter the following paths into the field at the top and Delete files Info.hta and {unknown name}.exe:
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %APPDATA%
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  4. Simultaneously tap Win+R keys on the keyboard to launch the Run dialog box.
  5. Type regedit into the dialog box and then click OK to launch the Registry Editor utility.
  6. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run on the left.
  7. Delete all {unknown names} values that are associated with ransomware files (check the value data).
  8. Empty Recycle Bin and then immediately perform a full system scan to check for leftovers. 100% FREE spyware scan and
    tested removal of GTF Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *