Gaqtfpr ransomware (virus) - Recovery Instructions Included

What is Gaqtfpr ransomware?

Gaqtfpr ransomware can cause all personal files to lock, making them useless without a decryption key

Ransomware infections can result in users losing their data

Gaqtfpr ransomware is a file-locking virus that can use complicated encryption^[1] algorithms to lock users' files. It belongs to the Snatch ransomware family which was discovered in December 2018. When it infiltrates the system, it starts locking personal files, such as photos, videos, and documents.

It attaches a .gaqtfpr extension to every affected file. So if a file was previously named picture.jpg, after encryption it would look like this – picture.jpg.gaqtfpr. The icons are also changed to white pages so thumbnails are unavailable. It is impossible to open, view or use the encrypted files.

The ransom note

Gaqtfpr ransomware drops a text file HOW TO RESTORE YOUR FILES.TXT which is a ransom note. It is a message written by cybercriminals where they state their demands and explain what happened to users' files. The primary goal of such malicious programs is to blackmail victims into paying money for a decryption tool.

Threat actors use scare tactics to pressure people into paying. Most often, they want to receive money in cryptocurrencies because they provide anonymity. However, it is very risky for innocent people because cyber criminals cannot be trusted. Many previous ransomware attack victims say that they never received the promised decryption keys after paying.

Besides, cryptocurrency transactions are impossible to reverse. Once you send crypto to another wallet- it is gone. You would also be encouraging this malicious activity. Even though decryption is rarely possible without the cybercriminals' help, we recommend you try a third-party recovery tool that we list in this guide.

Encrypted files are almost impossible to unlock without the cybercriminals

Distribution methods

A variety of different techniques are used to spread ransomware on the Internet. One of the most obvious ones is hiding the malicious files as bundled software on Torrent websites^[2] or peer-to-peer file sharing platforms. Many people like to install “cracked” software^[3] because it is free.

However, the websites that distribute them are unregulated, so it is impossible to know if the packages you are downloading do not contain any malicious files. It is best to only use official web stores and developer websites. Even though it might get costly, you may save in the long run by keeping your system running smoothly.

Another popular method used by threat actors is email. They can use social engineering to create letters that look like important and urgent messages. They usually use well-known company names to create trust. However, you should never open any email attachments from someone you do not know personally.

Remove the intruder from your machine

The first thing you have to do is remove the malicious files that are executing the tasks. If you try to recover the files without eliminating the cause, it can encrypt your files again and result in more damage. Removing the virus yourself should not be an option unless you have experience.

Use anti-malware tools like SpyHunter 5Combo Cleaner or Malwarebytes to scan your system. This security software should find all the related files and entries and remove them automatically for you. Automatic removal is the best option because there is less risk of leaving some of the files on our system. Another thing to note is the malicious program could be preventing you from using the antivirus software. If you are unable to do it, proceed with accessing Safe Mode on Windows:

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

Data recovery options

Only hackers hold the decryption key, which can unlock your files, so if you did not back them up previously, you possibly lost your files forever. You can try using data recovery software, but third-party programs cannot always decrypt the files. We suggest at least trying it because it cannot hurt.

Important – only do this if you have already removed Gaqtfpr ransomware

Before proceeding, you must copy the corrupted files and place them in a USB flash drive or another external storage. In case something happens, you will at least still have the encrypted files.

1. Download Data Recovery Pro.
2. Double-click the installer to launch it.
   
3. Follow on-screen instructions to install the software.
4. As soon as you press Finish, you can use the app.
5. Select Everything or pick individual folders where you want the files to be recovered from.
6. Press Next.
7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.
8. Press Scan and wait till it is complete.
9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
10. Press Recover to retrieve your files.

Repair the operating system

Performance, stability, and usability issues, to the point where a full Windows reinstall is required, are expected after a malware infection. These types of infections can alter the Windows registry database, damage vital bootup, and other sections, delete or corrupt DLL files, etc. Once a system file is damaged by malware, antivirus software is not able to repair it.

There are tools created just for this purpose. FortectIntego can fix a lot of the damage caused by an infection like this. Blue Screen errors, freezes, registry errors, damaged DLLs, etc., can make your computer completely unusable. By using this maintenance tool, you could try fixing the damaged system and avoid reinstallation.

• Download the application by clicking on the link above
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

Additional tips for victims in the corporate environment

Some ransomware strains aim to infect not only one computer but hijack the entire network. As soon as one of the machines is infected, malware can spread via the network and encrypt files everywhere else, including Network Attached Storage (NAS) devices. If your computer is connected to a network, it is important to isolate it to prevent re-infection after ransomware removal is complete.

The easiest way to disconnect a PC from everything is simply to plug out the ethernet cable. However, in the corporate environment, this might be extremely difficult to do (also would take a long time). The method below will disconnect from all the networks, including local and the internet, isolating each machine involved.

• Type in Control Panel in Windows search and press Enter
• Go to Network and Internet
• Click Network and Sharing Center
• On the left, pick Change adapter settings
• Right-click on your connection (for example, Ethernet), and select Disable
• Confirm with Yes.

If you are using some type of cloud storage you are connected to, you should disconnect from it immediately. It is also advisable to disconnect all the external devices, such as USB flash sticks, external HDDs, etc. Once the malware elimination process is finished, you can connect your computers to the network and internet, as explained above, but by pressing Enable instead.

Where to report a ransomware attack?

• USA – Internet Crime Complaint Center IC3
• United Kingdom – ActionFraud
• Canada – Canadian Anti-Fraud Centre
• Australia – ScamWatch
• New Zealand – ConsumerProtection
• Germany – Polizei
• France – Ministère de l'Intérieur

If your country is not listed above, you should contact the local police department or communications center.