Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Apr 2019

How to remove Gefest ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

Gefest 3.0 ransomware is data locking malware that was created by Scarab virus authors

Gefest ransomware

Gefest ransomware, also known as Gefest 3.0 ransomware, is another file encrypting infection that belongs to one of the most prominent malware strains of such kind – Scarab. The virus uses the RSA-2048 algorithm[1] to lock up all documents, pictures, videos, databases and other data that is stored on the infected device. All files are then marked with .GEFEST and the ransomware generates a text file HOW TO RECOVER ENCRYPTED FILES.txt in which crooks are urging their victims to pay a ransom in exchange for the decryption key.[2]

Just as it typical to crypto-lockers, Gefest virus authors demand ransom to be paid in Bitcoins or other cryptocurrencies, although the precise amount is not mentioned in the note. Prior to that, victims are asked to contact hackers via mrpeterson@cock.li or debora2019@airmail.cc emails -an action which is not recommended by most security experts and law enforcement.

After its initial release, Scarab-Gefest is still active, with recently releasing such versions as .Gefest3 [Mrpeterson@cock.li].GFS, and .crabslkt.

Name Gefest 3.0 ransomware
Category Cryptovirus
Ransomware family Scarab ransomware
Extension appended .GEFEST, .Gefest3, .GFS, .crabslkt
Algorithm used RSA-2048
Ransom message HOW TO RECOVER ENCRYPTED FILES.txt, DECRYPT INFORMATION.TXT, 
Email addresses given in the ransom note
  • mrpeterson@cock.li
  • debora2019@airmail.cc
  • mrpeterson@cock.li
  • resoutnowfewminutes@airmail.cc
Distribution Rogue email messages, infected websites
Elimination Detect malware with FortectIntego and get rid of it ASAP
Decryption Some versions are decryptable by Dr. Web. Read this post to know more

Once inside the system, Gefest ransomware performs a variety of changes to the computer system. Ransomware viruses, including this one, might alter the registry, drop its own files, and even disable your anti-virus software. Additionally, most of the cryptolockers are programmed to delete Shadow Volume Copies,[3] consequently complicating the recovery process.

To prevent Gefest 3.0 and similar ransomware infections, make sure you are very careful while dealing with emails from unknown senders. More about the prevention of ransomware can be found in the second part of this guide.

After encrypting files, Gefest 3.0 ransomware provides this type of message (might vary, depending on the extension):

GEFEST 3.0 ransomware 

Your files are encrypted with an algorithm RSA2048 with a unique public key that is stored on your PC. 
There is only one way to recover your files: contact us to pay and receive the decryption program. 
We accept Bitcoins or other cryptocurrency, you can find exchangers in the bestbitcoinexchange.io 
Do you have a unique idkey, write it in a letter when contact us. 
ou can also decrypt 1 to check the file, it is a guarantee that we can decrypt your files. 
Attention! 
Do not rename the encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.

Contact information:

primary email: mrpeterson@cock.li

reserve email: debora2019@airmail.cc
Your unique idkey:

As we already mentioned, the Gefest decryptor price is withheld on the note, and usually depends on how quick victims contact cybercriminals, and sometimes even their financial status. Additionally, hackers offer a test decryption service, which is meant to prompt users to deem them more reliable.

Gefest virus

Nevertheless, no matter how much Gefest ransomware authors may want to seem genuine, never trust these people: they already locked your files without asking, what makes you believe they will send you the decryptor after the payment?

In such a case, you might lose not only your files but also money. Therefore, remove Gefest ransomware from the system instead as a first step by using a reliable anti-virus program. After that, you can use FortectIntego to detect all malware-laden components on your computer and fix the infected system files.

After you deal with the Gefest 3.0 ransomware removal, you can start thinking about possible data recovery methods. Even though no decryptor has been released yet, you can contact Emmanuel_ADC-Soft on Twitter for possible decryption solutions. Alternatively, you can employ third-party data recovery software – we provide all the download links and operation instructions below.

File-encrypting viruses can infect computers after opening a malicious attachment or clicking a link in a spam email

According to computer experts from NoVirus.uk,[4] if you have caught a ransomware[5] infection recently, there might be more than one way how this cyber threat has invaded the system. However, the most popular ransomware distribution technique is email spam and infected attachments that come clipped to these questionable-looking messages.

Opening the attached files or entering the inserted link might cause you a lot of problems. This way you might easily execute the virus-related content and inject ransomware straight into the system unknowingly. Always be careful while opening your inbox, identify the sender, check for grammar mistakes, evaluate the risk, and just then decide.

Moreover, you should avoid various Internet sites which might lack protection and seem unsafe. Do not click on any suspicious links that might secretly install unpleasant apps or malware. Additionally, we recommend downloading a reputable computer security tool to secure the system fully. Also, you will be able to perform regular system scans with the automatical software and find out if there are any troubles in the system.

Gefest ransomware variants

Make Gefest 3.0 ransomware vanish from your device and systems

To remove Gefest 3.0 virus, you will need to download and install reliable antimalware. Do not try opting for manual removal as you can easily delete useful system components. To detect all malicious files, use a reputable program such as FortectIntego or SpyHunterCombo Cleaner. Remember, you need to disable the malicious activity before you carry out any data recovery steps because the virus can attack your files right after rebooting the system.

After the Gefest ransomware removal is completed, you can try restoring your entire computer system. For that, proceed with file recovery techniques displayed below this article. Note that the easiest way to recover encrypted files is to use backups. However, if you don't have such, there are still better options than contacting the crooks and facing unwanted money loss.

To avoid getting infected with a virus such as Gefest 3.0 ransomware in the future, make sure you are careful with emails from unknown senders, illegal software and questionable links. Moreover, you need to take care of your files and valuable data properly: store all important files in a USB Flash Drive[6] or on an iCloud server. This way the data will be kept out of reach from anyone else except you.

Be the first to comment

Read in your language

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.