Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2019

How to remove GetCrypt ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Olivia Morelli · Ransomware analyst

GetCrypt ransomware is a decryptable file locking malware that is using Rig exploit kit for distribution

GetCrypt ransomware

GetCrypt ransomware is a cryptovirus that was first spotted in the wold by security researchers from nao_sec[1] in May 2019. The malware does not seem to have any connection to any ransomware families and is a standalone project by unknown hackers. Despite it being a new virus, researchers already developed a decryption tool that can be used to recover data for free.

Once inside, GetCrypt ransomware locates pictures, music, databases, documents, etc., and employs RSA-4096 + Salsa20 encryption ciphers to lock them up, while also appending a file extension that consists of a four random characters, for example .GTUN, .RBRS, and similar.

From that point of time, users cannot access their personal data, although they can also notice a # DECRYPT MY FILES #.txt ransomware placed into each of the affected folders. The message from the threat actors behind GetCrypt virus states that victims need to write an email to GETCRYPT@COCK.LI for the further instructions and the decryptor price.

Nevertheless, as previously stated, the virus is decryptable. Therefore, if you got infected and your data is locked, remove GetCrypt ransomware, and then decrypt your files for free.

Name GetCrypt
Type Ransowmare
Ciphers RSA-4096 + Salsa20
Related files bs03u4lh.bin.exe, encrypted_key.bin, Tempdesk.bmp
Extension .[random 4 characters]
Ransom note  # DECRYPT MY FILES #.txt
Contact GETCRYPT@COCK.LI or CRYPTGET@TUTANOTA.COM
Excluded countries Russia, Kazakhstan, Belarus, Ukraine
Decryptable? Yes. Download decrypter from Emsisoft
Termination Use anti-malware software, such as SpyHunterCombo Cleaner
Recovery To restore Windows registry and other vital sectors, use FortectIntego

GetCrypt virus is being distributed via Popcash malvertising campaigns that redirect users to malicious sites which host Rid exploit kit.[2] The latter was developed in 2016 and was used for the circulation of a variety of malware, including Locky, GandCrab, Cerber, Spora, Ramnit, Princess, and others. Nevertheless, it does not mean that other tactics cannot be employed by hackers, such as:

  • Spam emails;
  • Fake updates;
  • Brute-forcing;
  • Web injects;
  • Pirated software or its cracks, etc.

Before GetCrypt ransomware starts the encryption process, it changes the way Windows operates by modifying/deleting/spawning such sectors like registry, boot, services, processes, shadow volume copies, etc. Additionally, researchers also noticed that the malware exists without executing any tasks if the computer language is set to Russian, Ukranian, Belarusian, or Kazakh.

All the data becomes inaccessible after GetCrypt ransomware appends the extension to the files. For example, instead of seeing a regular picture.jpg format, victims will see picture.jpg.GHPY, or similar. After the encryption, the ransom note # DECRYPT MY FILES #.txt explains to victims what to do next:

Attention! Your computer has been attacked by virus-encoder!
All your files are now encrypted using cryptographycalli strong aslgorithm.
Without the original key recovery is impossible.

TO GET YOUR DECODER AND THE ORIGINAL KEY TO DECRYPT YOUR FILES YOU NEED TO EMAIL US AT: GETCRYPT@COCK.LI

It is in your interest to respond as soon as possible to ensure the restoration of your files.

P.S only in case you do not recive a response from the first email address within 48 hours, please use this alternative email address: CRYPTGET@TUTANOTA.COM

  1. Open your browser
  2. Write to our mail: GETCRYPT@COCK.LI
  3. Attach the encrypted_key.bin from %appdata% to your message

After system modification and file encryption process, GetCrypt ransomware tries to spread laterally and encrypt files located on the network by using the WNetEnumResourceW feature. In case it does not succeed, the malware will try to brute-force[3] its way in with the help of a predetermined list of usernames and passwords, such as “123,” “111,” “admin,” “Guest,” and similar.

For GetCrypt ransomware removal, users should employ reputable security application which can recognize[4] the threat as Ransom.GetCrypt, Trojan:Win32/Occamy.C, Malware@#3ttqjf9a6qhwv, TROJ_FRS.0NZ900EL19, Trojan.Multi.Generic.4!c, etc. Once elimination is completed, experts[5] recommend scanning the device with repair software such as FortectIntego to recover from GetCrypt virus damage.

GetCrypt ransomware virus

Malicious ads and redirects might result in ransomware infection

Exploit kits are a sophisticated set of tools designed to penetrate vulnerabilities inside the system and embed the malicious payload. This technique is often paired with redirects that come from such infections as adware or JavaScript on a malicious/hacked website.

Once the user is redirected, the exploit kit is capable of scanning the device and looking for security flaws. If successful, the malware is installed automatically, without any type of user interaction. However, those who patch their systems, along with the installed software, on time renders the exploitation useless, even if the malicious domain is reached via the redirect.

Besides updating software, users should also:

  • Install a powerful security application;
  • Enable Firewall;
  • Backup the files located on the local HDD;
  • Stay away from spam email attachments and suspicious hyperlinks;
  • Enable two-factor authentication and use password manager for all accounts;
  • Enable ad-blocker;
  • Not attempt to download cracks or pirated software.

Terminate GetCrypt ransomware with the help anti-malware software and only then attempt file recovery

Before you proceed to file recovery procedure, you need to make sure GetCrypt ransomware removal is executed correctly, otherwise, all the retrieved data would be encrypted again. For that, you should access Safe Mode with Networking which would temporarily disable the operation of the virus (we provide the instructions on how to enter it below).

Once you remove GetCrypt virus completely, you should then connect your backups and copy all the files over. In most cases, those who have no backups are destined to lose their data forever, especially if Shadow Volumes were deleted by the malware successfully. Luckily, Emsisoft decrypter is available for GetCrypt ransomware decryption, so download the software and run it to retrieve your pictures, documents, databases and other files for free. If the tool does not work for you, try third-party software as explained below.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.