GarrantyDecrypt ransomware (Removal Instructions) - updated Mar 2019
GarrantyDecrypt virus Removal Guide
What is GarrantyDecrypt ransomware?
GarrantyDecrypt is the cryptovirus that releases the newest variant In February 2019 which pretends to be the alert from the Proton security team
GarrantyDecrypt ransomware seeks to get victims' money by making them useless and then offering the special key for their decryption.
GarrantyDecrypt ransomware is a crypto malware that was first spotted back in October 2018 and releases new versions every few months. The virus is distributed with the help of malicious spam email attachments or links, via the repacked or hacked installers, fake updates, brute-force attacks, and similar methods. It uses RSA encryption algorithm to encrypt databases, documents, videos, music, etc., and appends a .garrantydecrypt extension. Also, GarrantyDecrypt drops a ransom note #RECOVERY_FILES#.txt that contains a message from the virus authors. The malware was re-released, adding .cosanostra, .decryptgarranty, and .NOSTRO appendixes to each of the affected files. According to cybersecurity analyst Demonslay, if present, the malware terminates other infections (cryptominer Rarog or data-stealer Arkei) before starting the encoding process.[1] The most recent versions in this particular family are Cammora ransomware and another version that encrypts files without marking them with the particular extensions. However, this latter variant demands victims $780 for the Proton's service because developers pretend to be the security team for Proton and even creates files with “PROTON SECURE-SERVER SYSTEMS (c) 2019” copyright mark.[2]
Name | GarrantyDecrypt |
---|---|
Type | Ransomware/Cryptovirus |
File extension | .garrantydecrypt, .decryptgarranty, .NOSTRO, .cosanostra, .cammora |
Ransom note | #RECOVERY_FILES#.txt |
Known since | October 2018 |
Encryption method | RSA |
Contact email | garrantydecrypt@airmail.cc, decryptgaranty@airmail.cc, cammora19@protonmail.com |
Decryption | Not possible |
Elimination | Use FortectIntego for GarrantyDecrypt ransomware removal |
As soon as GarrantyDecrypt virus enters the system, it performs several changes to increase persistence. Malware focuses on the data encryption process and seeks to make every user's file or its copy unavailable for the use. That's because cybercriminals who are working behind the ransomware seek to earn money by making their victims to pay the requested ransom fee. However, no matter how much crooks ask for, do not pay or even contact them.
Before encrypting data, the malicious code disables any malware that might be already present on the system and starts encrypting files. GarrantyDecrypt ransomware uses RSA-348 algorithm first and then opts for RSA-4096 encryption method to make your data useless. The encryption process is fairly quick[3], and you cannot notice the activity in the background.
After the successful encryption, the malware creates a ransom note called #RECOVERY_FILES#.txt which reads the following:
All your files have been ENCRYPTED
Do you really want to restore your files?
Write to our email – garrantydecrypt@airmail.cc
and tell us your unique ID
The hackers behind GarrantyDecrypt ransomware might encourage you to pay the ransom if you want to get your data back. In exchange for your payment, they typically promise to send their victims a special code which is saved on their remote servers and can't be guessed. However, you need to avoid contacting these people because it may lead to permanent data or money loss.
At first, focus on GarrantyDecrypt ransomware removal to make sure that the system is clear from malware. Additionally, restore your files from an external drive, cloud or a simple USB stick. If you don't have backups, try our tips given at the end of this article. Researchers[4] note that it is highly recommended to create a few different versions (three at least) of the file to keep it safe. Store your data on external devices and a cloud service remotely.
You can remove GarrantyDecrypt ransomware using reputable anti-malware tools like FortectIntego. Automatic virus elimination is the most helpful in this case because any additional viruses hiding on your computer can be removed during the full system scan. Follow the actions your anti-malware tool suggests after the full system scan.
GarrantyDecrypt ransomware is a cryptovirus that removes other malware before it starts files' encryption on the system.
GarrantyDecrypt authors keep renewing the cyberthreat
Just as many other ransomware viruses, GarrantyDecrypt is also being renewed by its authors. The first new variant was spotted at the end of November, almost two months after the original virus release.
The new variants encrypted files with similar extensions – .decryptgarranty and .cosanostra. However, the name of the ransom note hasn't changed. Cybercriminals are now demanding to use confirmation@secmail.pro, confirmprotect@protonmail.com or decryptgarranty@airmail.cc as the contact email addresses. A new version of the ransom note reads the following:
File protector Ultimate license error.
Or HACKED SOFTWARE VERSION DETECTED.
All your files is safe! Dont worry.
You only need to update subscription to unblock your protected files *.prl or become a legal user.
Send 0.25 Bitcoins to 19zbUWvkcYjPvg1ri5XprRR56z8KUkjtbj with MAX fee only! Or if you want transactions will lost in network or returned to you, and you may lost your files.
Only after you send btc and recive 1 confirmation, send email to
confirmation@secmail.pro or confirmprotect@protonmail.com
With this information below:
Bitcoin Transaction ID (no links)
Your %e@mail% (System will send to it legal copy of software with actiovation key)
######And just copy and past text below.
License payment confirmation agree
The most recent version of the virus showed up at the end of December 2018. GarrantyDecrypt authors now use .NOSTRO or .nostro file extension and ask victims to email crooks via the nostro19@protonmail.com email address.
.decryptgarranty and .NOSTRO variants drop a different ransom note, providing contact information within.
In February 2019, the same Michael Gillespie that discovered this ransomware in the first place releases information about the latest GarrantyCrypt ransomware versions. One of them is Cammora ransomware. This intruder is not significantly changed from other members in the family and still delivers #RECOVERY_FILES#.txt as the ransom note when data gets locked and marked with .cammora extension.
However, another more recent version is different than every other member of the family because cryptovirus pretends to distribute security alerts from the Proton Technologies team.
SECURITY-ISSUE-INFO.txt is the file containing the ransom note and the statement about the attack by the third-party and encrypted files. According to these hackers, Secure-Server encrypted your files to protect them from the malware during the attack. However, developers who mark their texts using PROTON SECURE-SERVER SYSTEMS (c) 2019 copyright statement demand victims to pay $780 for the service.
The legitimacy is created to trick people into thinking this is an email from Proton secure service. Unfortunately, this is a ransomware attack, not the Proton service and you shouldn't consider paying these people. Remove GarrantyCrypt using FortectIntego, as detection rate for multiple samples shows it can be indicated as malicious by many AV engines.[5]
A recent variant of GarrantyDecrypt poses as Proton security team.
Malicious file attachments spread ransomware payload directly on your device
In the cyber world, the most common method used to spread malicious programs is spam. When you get a questionable email with an attached document, pay more attention because it is possible that safe-looking MS Word or Excel files contain malicious macros or spread malware directly on your device.
Any email with the subject line “Invoice” or “Order information” sent from the service or company you do not use can be malicious and spread various threats on the system of your computer. Make sure to scan the file before downloading and opening on the system. You can also delete spam email box more frequently.
Unfortunately, malicious actors disguise their products behind known names, so be aware that companies do not send emails with typos, grammar mistakes and financial information documents attached for ransom people. If you get PayPal or FedEx email when you do not use the service – delete it.
Proceed with GarrantyDecrypt elimination as soon as possible
When you find your files encrypted by the cryptovirus, don't waste your time because every minute counts as ransomware can try to encrypt more files on your computer. Better scan your system by using a reputable anti-malware or antivirus program to remove GarrantyDecrypt or any additional malware from your computer. Use FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes and make sure to double check if the system is clear before plugging in any external devices.
GarrantyDecrypt ransomware removal needs to be done before you start recovering your locked files. The thorough system scan is nothing but beneficial for the system because, during the process, various PUPs and additional intruders will be removed from the system.
If you have files' backups, you can restore encrypted files with safe ones after GarrantyDecrypt ransomware termination. However, if you do not have the habit of backing your data, try our data recovery methods listed below.
Getting rid of GarrantyDecrypt virus. Follow these steps
Manual removal using Safe Mode
GarrantyDecrypt might be persistent, so reboot your device in Safe Mode with Networking to make sure that antivirus detects the threat:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove GarrantyDecrypt using System Restore
System Restore feature can also be helpful when ransomware affects your AVs performance:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of GarrantyDecrypt. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove GarrantyDecrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by GarrantyDecrypt, you can use several methods to restore them:
Data Recovery Pro is a great alternative for file backups when you lose your data
When GarrantyDecrypt ransomware encrypted your files, you have no solution but to recover them. You can use Data Recovery in this case, or when you accidentally deleted your files.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by GarrantyDecrypt ransomware;
- Restore them.
Windows Previous Versions feature is a method you can try when recovering your encrypted data
Use Windows Previous versions if System restore feature was enabled before the attack
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer recover files encrypted by GarrantyDecrypt ransomware
This method of data recovery works of Shadow Volume Copies still exists
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Decryption tool is not available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from GarrantyDecrypt and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.
- ^ Michael Gillespie. Discussion about GarrantyDecrypt ransomware . Twitter. Social media.
- ^ Michael Gillespie. Ransomware discovery report. Twitter. Social media platform.
- ^ Rick Correa. How fats does ransomware encrypt your files?. Barkly. Endpoint protection platform.
- ^ Avirus. Avirus. Spyware news.
- ^ Virus sample detection rate. VirusTotal. Online malware scanner.