Gefest ransomware (Virus Removal Guide) - updated Apr 2019

Gefest virus Removal Guide

What is Gefest ransomware?

Gefest 3.0 ransomware is data locking malware that was created by Scarab virus authors

Gefest ransomwareGefest virus - ransomware which uses RSA encryption to lock up data

Gefest ransomware, also known as Gefest 3.0 ransomware, is another file encrypting infection that belongs to one of the most prominent malware strains of such kind – Scarab. The virus uses the RSA-2048 algorithm[1] to lock up all documents, pictures, videos, databases and other data that is stored on the infected device. All files are then marked with .GEFEST and the ransomware generates a text file HOW TO RECOVER ENCRYPTED FILES.txt in which crooks are urging their victims to pay a ransom in exchange for the decryption key.[2]

Just as it typical to crypto-lockers, Gefest virus authors demand ransom to be paid in Bitcoins or other cryptocurrencies, although the precise amount is not mentioned in the note. Prior to that, victims are asked to contact hackers via or emails -an action which is not recommended by most security experts and law enforcement.

After its initial release, Scarab-Gefest is still active, with recently releasing such versions as .Gefest3 [].GFS, and .crabslkt.

Name Gefest 3.0 ransomware
Category Cryptovirus
Ransomware family Scarab ransomware
Extension appended .GEFEST, .Gefest3, .GFS, .crabslkt
Algorithm used RSA-2048
Email addresses given in the ransom note
Distribution Rogue email messages, infected websites
Elimination Detect malware with FortectIntego and get rid of it ASAP
Decryption Some versions are decryptable by Dr. Web. Read this post to know more

Once inside the system, Gefest ransomware performs a variety of changes to the computer system. Ransomware viruses, including this one, might alter the registry, drop its own files, and even disable your anti-virus software. Additionally, most of the cryptolockers are programmed to delete Shadow Volume Copies,[3] consequently complicating the recovery process.

To prevent Gefest 3.0 and similar ransomware infections, make sure you are very careful while dealing with emails from unknown senders. More about the prevention of ransomware can be found in the second part of this guide.

After encrypting files, Gefest 3.0 ransomware provides this type of message (might vary, depending on the extension):

GEFEST 3.0 ransomware

Your files are encrypted with an algorithm RSA2048 with a unique public key that is stored on your PC.
There is only one way to recover your files: contact us to pay and receive the decryption program.
We accept Bitcoins or other cryptocurrency, you can find exchangers in the
Do you have a unique idkey, write it in a letter when contact us.
ou can also decrypt 1 to check the file, it is a guarantee that we can decrypt your files.
Do not rename the encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.

Contact information:

primary email:

reserve email:
Your unique idkey:

As we already mentioned, the Gefest decryptor price is withheld on the note, and usually depends on how quick victims contact cybercriminals, and sometimes even their financial status. Additionally, hackers offer a test decryption service, which is meant to prompt users to deem them more reliable.

Gefest virusGefest ransomware is a computer virus which is related to Scarab

Nevertheless, no matter how much Gefest ransomware authors may want to seem genuine, never trust these people: they already locked your files without asking, what makes you believe they will send you the decryptor after the payment?

In such a case, you might lose not only your files but also money. Therefore, remove Gefest ransomware from the system instead as a first step by using a reliable anti-virus program. After that, you can use FortectIntego to detect all malware-laden components on your computer and fix the infected system files.

After you deal with the Gefest 3.0 ransomware removal, you can start thinking about possible data recovery methods. Even though no decryptor has been released yet, you can contact Emmanuel_ADC-Soft on Twitter for possible decryption solutions. Alternatively, you can employ third-party data recovery software – we provide all the download links and operation instructions below.

File-encrypting viruses can infect computers after opening a malicious attachment or clicking a link in a spam email

According to computer experts from,[4] if you have caught a ransomware[5] infection recently, there might be more than one way how this cyber threat has invaded the system. However, the most popular ransomware distribution technique is email spam and infected attachments that come clipped to these questionable-looking messages.

Opening the attached files or entering the inserted link might cause you a lot of problems. This way you might easily execute the virus-related content and inject ransomware straight into the system unknowingly. Always be careful while opening your inbox, identify the sender, check for grammar mistakes, evaluate the risk, and just then decide.

Moreover, you should avoid various Internet sites which might lack protection and seem unsafe. Do not click on any suspicious links that might secretly install unpleasant apps or malware. Additionally, we recommend downloading a reputable computer security tool to secure the system fully. Also, you will be able to perform regular system scans with the automatical software and find out if there are any troubles in the system.

Gefest ransomware variantsGefest ransomware can append a variety of extensions, including .GEFEST, .Gefest3, .GFS, and .crabslkt

Make Gefest 3.0 ransomware vanish from your device and systems

To remove Gefest 3.0 virus, you will need to download and install reliable antimalware. Do not try opting for manual removal as you can easily delete useful system components. To detect all malicious files, use a reputable program such as FortectIntego or SpyHunter 5Combo Cleaner. Remember, you need to disable the malicious activity before you carry out any data recovery steps because the virus can attack your files right after rebooting the system.

After the Gefest ransomware removal is completed, you can try restoring your entire computer system. For that, proceed with file recovery techniques displayed below this article. Note that the easiest way to recover encrypted files is to use backups. However, if you don't have such, there are still better options than contacting the crooks and facing unwanted money loss.

To avoid getting infected with a virus such as Gefest 3.0 ransomware in the future, make sure you are careful with emails from unknown senders, illegal software and questionable links. Moreover, you need to take care of your files and valuable data properly: store all important files in a USB Flash Drive[6] or on an iCloud server. This way the data will be kept out of reach from anyone else except you.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Gefest virus. Follow these steps

Manual removal using Safe Mode

Enable the Safe Mode with Networking function and disable the malicious activity of the ransomware:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Gefest using System Restore

Activate System Restore by performing these steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Gefest. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Gefest removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Gefest from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If you want to recover files with the .GEFEST extension, you should take a look at our below-provided methods.

If your files are encrypted by Gefest, you can use several methods to restore them:

Data Recovery Pro might allow you to restore some data:

Use this method if you want to get back files which were touched by the ransomware virus.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Gefest ransomware;
  • Restore them.

Windows Previous Versions feature might help you recover encrypted files

Give this tool a try if you have enabled the system restore in the past.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Shadow Explorer for data recovery

If the virus did not touch Shadow Copies of encrypted files, try this method.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try using Dr. Web decrypter to recover files encrypted by Gefest ransomware

If your files are encrypted by Gefest 3.0, carefully read this forum post to know more about the decryption of your files.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Gefest and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

Removal guides in other languages