buy-decryptor@pm.me Gorgon ransomware (Restore encrypted files)

If you turned on your personal computer and saw a ransom note that your files are encrypted by Gorgon ransomware then your machine is infected with a malicious software called Gorgon ransomware. The Gorgon ransomware secretly penetrates the PC system and encrypts photos, documents and music that stored on your PC system disks. While encrypting, it renames all your important documents, photos and music so that they have the .[buy-decryptor@pm.me] file extension.

Immediately after the launch, the Gorgon ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:

.x3f, .orf, .tax, .wm, .zdc, .tor, .xlsm, .bar, .rtf, .itl, .menu, .wdp, .xpm, .odp, .xld, .odc, .wbz, .bc7, .2bp, .p7c, .sr2, .xlsm, .mdb, .kdb, .der, .mdf, .ai, .pfx, .x3d, .wma, .indd, .wmv, .wmf, .flv, .wbk, .crw, .apk, .dng, .xy3, .cdr, .rar, .icxs, .xls, .vpp_pc, .epk, .qdf, .pptm, .xdl, .wcf, .wmo, .wbmp, .xbdoc, .wbc, .zw, .wp7, .css, .xmind, .mov, .wpa, .r3d, .wma, .raf, .psk, .7z, .x, .upk, .wmd, .vpk, .srf, .ysp, .wsc, .wp6, .mp4, .qic, .js, .syncdb, .hplg, .yal, .wdb, .3fr, .wgz, .sav, .1st, .ff, .odb, .xlsb, .blob, .srw, .yml, .xwp, .rofl, .ltx, .wn, .litemod, .pdd, .dmp, .vdf, .zif, .jpeg, .iwi, .m2, .raw, .eps, .jpg, .wp, .hkdb, .jpe, .bay, .esm, .ntl, .x3f, .wire, .re4, .t13, .xls, .sidn, .psd, .wps, .wotreplay, .ybk, .pptx, .mpqge, .ws, .sidd, .lvl, .webp, .pst, .mef, .asset, .wpw, .wbm, .avi, .fsh, .y, .w3x, .odt, .t12, .db0, .sql, .wpb, .xf, .xlsx, .bkf, .xlgc, .dazip, .wbd, .d3dbsp, .xml, .cr2, .ibank, .layout, wallet, .kdc, .ppt, .mrwref, .dcr, .dba, .doc, .hkx, .0, .lrf, .txt, .bkp, .wb2, .mlx, .iwd, .rgss3a, .xx, .kf, .pdf, .xar, .xbplate, .1, .vtf, .wpt, .ods, .zdb, .pem, .gdb, .bc6, .webdoc, .wmv, .ncf, .fpk, .py, .m4a, .vfs0, .big, .svg, .itdb, .3dm, .sum, .crt, .odm, .rwl, .p12, .m3u, .vcf, .rb, .wps, .rw2, .cfr, .itm, .xxx, .mcmeta, .z, .mdbackup, .3ds, .wot, .zip, .xll, .png, .pkpass, .p7b, .wpe, .dbf, .fos, .pef, .sis, .slm, .zip, .rim, .pak, .wri, .csv, .dwg, .wav, .zi, .xlk, .gho, .arw

Once a file is encrypted, its extension modified to .[buy-decryptor@pm.me]. Next, the ransomware drops a file called ‘#DECRYPT MY FILES#.HTML’. This file contain a note on how to decrypt all encrypted photos, documents and music. You can see the variants of the ransom note below:
English:

All your important files are encrypyted!

#What happened?
All your important files(database,documents,images,videos,music,etc.)have been encrypted!and only we can decrypt!
To decrypt your files,you need to buy Gorgon Decryptor from us,we are the only one who can decrypt the file for you

#Attention!
Trying to reinstall the system and decrypting the file with a third-party tool will result in file corruption,which means no one can decrypt your file(including us)!
If you still try to decrypt the file yourself,you do so at your own risk!

#Test decryption!
As a proof,you can email us 3 files to decrypt,and we will send you the decrypted files to prove that we can decrypt your files

#How to decrypt?
1.Buy 0.3 Bitcoin at https://localbitcoins.com
2.Contact us by email to get a payment address
3.Send 0.3 Bitcoin to our payment address
4.After payment,we will send you Gorgon Decryptor

Chinese:

#发生了什么？
您所有的重要文件（数据库，文档，图像，视频，音乐等）已被加密！并且只有我们才能解密！
要解密您的文件，您需要从我们这里购买 Gorgon Decryptor，我们是唯一能够为您解密文件的人

#注意事项！
尝试重新安装系统并使用第三方工具解密文件将导致文件损坏，这意味着没有人可以解密您的文件（包括我们）！
如果您仍尝试自行解密文件，则需自行承担风险！

#测试解密！
作为证明，您可以通过电子邮件向我们发送3个要解密的文件，我们会将恢复后的文件发送给您，以证明我们可以解密您的文件

#如何解密？
1.在 https://localbitcoins.com/zh-cn 购买 0.3 比特币
2.通过电子邮件联系我们以获取付款地址
3.将 0.3 比特币发送到我们的付款地址
4.付款后，我们会向您发送 Gorgon Decryptor

Korean:

#내 파일에 무슨 일이 일어난거죠?
당신의 모든 중요한 파일들(데이터베이스,사진,문서,영상,음악 등)이 모두 암호화되었습니다!그 암호화는 오직 저희만 풀 수 있죠!
당신의 파일들을 복구하기 위해서는,당신은 Gorgon Decryptor 를 저희에게 구매하셔야 합니다!앞서 말씀드린대로,오직 저희만이 당신의 암호화된 파일들을 복구할 수 있습니다

 

#주의!
Windows를 재설치한다거나,제 3 자(사설 복구 업체)의 프로그램을 통해 복구하려는 시도를 하는 경우 파일 손상을 일으켜 영영 복구할 수 없게 됩니다
이 말은 오직 저희에게 복구 프로그램을 사는 것만이 유일한 복구 방법임을 뜻하죠
만일 당신이 스스로 파일을 복구하려 한다면,그에 대한 대가는 엄청날 것입니다

 

#시험복구!
저희의 복구툴이 정상적으로 작동한다는 것을 증명해보이겠습니다,당신이 복구를 원하는 파일 3 개를 저희의 이메일로 보내주신다면,복구툴을 이용하여 복구가 가능하다는 증거로 복구된 파일 3 개를 보내드리겠습니다

 

#어떻게 복구툴을 구매할 수가 있죠?
1.먼저 Bithumb.com 이나 Coinone.co.kr 등 가상화폐 거래소에서 0.3 Bitcoin 을 구매하세요
2.그 다음 저희 이메일로 비트코인 주소를 요청하세요
3.회신된 비트코인 주소로 앞서 구매한 0.3 Bitcoin 를 송금하세요
4.지불이 완료된다면, 저희가 확인 후 Gorgon Decryptor 를 보내드리겠습니다

We suggest you to delete Gorgon ransomware virus as quickly as possible, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the step-by-step instructions below that will allow you to completely remove Gorgon ransomware from your system as well as restore encrypted files, using only few free utilities.

Table of contents

1. How to remove Gorgon ransomware
2. How to decrypt .[buy-decryptor@pm.me] files
3. How to restore .[buy-decryptor@pm.me] files
4. How to protect your personal computer from Gorgon ransomware

How to remove Gorgon ransomware

Before you launch the process of recovering documents, photos and music which has been encrypted, make sure Gorgon ransomware is not running. Firstly, you need to delete this virus permanently. Happily, there are several malware removal utilities which will effectively detect and delete Gorgon ransomware virus and other crypto virus malware from your personal computer.

Remove Gorgon ransomware with Zemana Anti-malware

We recommend you to run the Zemana Anti-malware which are completely clean your PC system of this virus. Moreover, the tool will allow you to remove potentially unwanted programs, malicious software, toolbars and adware that your machine may be infected too.

Please go to the link below to download the latest version of Zemana Anti-Malware for Microsoft Windows. Save it on your Desktop.

Once downloading is finished, close all windows on your machine. Further, launch the set up file named Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as shown in the following example, click the “Yes” button.

It will display the “Setup wizard” which will allow you install Zemana on the PC system. Follow the prompts and do not make any changes to default settings.

Once install is finished successfully, Zemana Anti-Malware will automatically launch and you can see its main window as on the image below.

Next, press the “Scan” button to perform a system scan for the Gorgon ransomware virus and other kinds of potential threats such as malware and PUPs.

When the scanning is done, Zemana Free will display you the results. Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.

The Zemana AntiMalware will begin to remove Gorgon ransomware virus and other kinds of potential threats. When finished, you can be prompted to reboot your system.

Run MalwareBytes to delete Gorgon ransomware

Manual Gorgon ransomware removal requires some computer skills. Some files and registry entries that created by the ransomware virus can be not fully removed. We advise that run the MalwareBytes that are completely free your PC of ransomware virus. Moreover, this free program will allow you to remove malware, potentially unwanted programs, adware and toolbars that your PC can be infected too.

MalwareBytes Free can be downloaded from the following link. Save it on your Desktop.

When the downloading process is finished, run it and follow the prompts. Once installed, the MalwareBytes Anti-Malware (MBAM) will try to update itself and when this task is complete, click the “Scan Now” button for scanning your computer for the Gorgon ransomware related files, folders and registry keys. This task may take some time, so please be patient. While the MalwareBytes Anti-Malware is checking, you can see how many objects it has identified either as being malicious software. Review the scan results and then click “Quarantine Selected” button.

The MalwareBytes is a free program that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malicious software removal tool, we suggest you to read and follow the guide or the video guide below.

Double-check for Gorgon ransomware with KVRT

If MalwareBytes anti malware or Zemana antimalware cannot get rid of the Gorgon ransomware, then we suggests to use the KVRT. KVRT is a free removal tool for viruss, adware, PUPs and toolbars.

Download Kaspersky virus removal tool (KVRT) on your personal computer by clicking on the link below.

When downloading is done, double-click on the KVRT icon. Once initialization procedure is complete, you will see the KVRT screen as displayed in the following example.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to find Gorgon ransomware virus and other malware. A system scan can take anywhere from 5 to 30 minutes, depending on your PC. When a threat is detected, the number of the security threats will change accordingly.

After the scanning is done, Kaspersky virus removal tool will show a scan report as shown in the following example.

Review the report and then click on Continue to begin a cleaning task.

How to decrypt .[buy-decryptor@pm.me] files

The encryption algorithm is so strong that it is practically impossible to decrypt .[buy-decryptor@pm.me] files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($300-1000 in Bitcoins) creators of the Gorgon ransomware virus for a copy of the private (encryption) key.

There is absolutely no guarantee that after pay a ransom to the makers of the Gorgon ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.

With some variants of this ransomware, it’s possible to use Windows Shadow Copies or file restore tools to restore personal files that have been encrypted by Gorgon ransomware virus. You can run the free utilities listed below in the blog post.

How to restore .[buy-decryptor@pm.me] files

In some cases, you can restore files encrypted by Gorgon ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.

Use shadow copies to recover .[buy-decryptor@pm.me] files

In some cases, you have a chance to recover your personal files that were encrypted by the Gorgon ransomware virus. This is possible due to the use of the tool named ShadowExplorer. It is a free program which created to obtain ‘shadow copies’ of files.

Click the link below to download the latest version of ShadowExplorer for Microsoft Windows. Save it to your Desktop so that you can access the file easily.

After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.

Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the Gorgon ransomware virus like below.

Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as displayed in the following example.

Recover .[buy-decryptor@pm.me] files with PhotoRec

Before a file is encrypted, the Gorgon ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore software like PhotoRec.

Download PhotoRec by clicking on the link below. Save it on your Windows desktop.

When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.

Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as displayed in the figure below.

Choose a drive to recover as on the image below.

You will see a list of available partitions. Select a partition that holds encrypted files as on the image below.

Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is done, click OK button.

Next, click Browse button to choose where restored photos, documents and music should be written, then press Search.

Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is finished, press on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown in the following example.

All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your personal computer from Gorgon ransomware

Most antivirus software already have built-in protection system against the virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.

Use CryptoPrevent to protect your personal computer from Gorgon ransomware virus

Download CryptoPrevent on your MS Windows Desktop by clicking on the following link.

www.foolishit.com/download/cryptoprevent/

Run it and follow the setup wizard. Once the install is complete, you will be shown a window where you can choose a level of protection, as displayed in the following example.

Now click the Apply button to activate the protection.

To sum up

Now your personal computer should be free of the Gorgon ransomware virus. Uninstall MalwareBytes Anti Malware and Kaspersky virus removal tool. We recommend that you keep Zemana AntiMalware (to periodically scan your computer for new malware). Moreover, to prevent ransomware, please stay clear of unknown and third party apps, make sure that your antivirus program, turn on the option to stop or look for ransomware.

If you need more help with Gorgon ransomware virus related issues, go to here.