If your personal files does not open normally, .[mrpeterson@cock.li].GFS file extension added at the end of their name then your system is infected with a new version of the GEFEST ransomware. Once launched, it have encrypted all files stored on the system drives and attached network drives.
“.GFS ransomware” – ransom note
GFS ransomware is a malicious software that created in order to encrypt files. It hijack a whole machine or its data and demand a ransom in order to unlock (decrypt) them. The developers of the .GFS ransomware have a strong financial motive to infect as many machines as possible. The files that will be encrypted include the following file extensions:
.wmf, .pfx, .xyp, .cr2, .t13, .wpd, .ncf, .sql, .vtf, .yal, .x3d, .bsa, .dng, .ai, .flv, .xf, .wp, .rtf, .wbd, .wpw, .pptm, .zdb, .lbf, .ibank, .zdc, .jpeg, .wmd, .xy3, .xld, .m4a, .zabw, .wbz, .fos, .vpk, .wps, .cfr, .p12, .rim, .vfs0, .mddata, .wmo, .jpe, .wm, .fsh, .xbdoc, .wotreplay, .pkpass, .dwg, .accdb, .cer, .wdb, .ltx, .rb, .xlk, .webp, .rgss3a, .sb, .mdb, .eps, .t12, .psk, .z, .pdf, .mlx, .wpb, .webdoc, .erf, .7z, .docm, .svg, .lvl, .mrwref, .tor, .xdl, .cdr, .xyw, .bc7, .wri, .indd, .png, .doc, .kdb, .gdb, .wma, .blob, .srw, .odb, .m3u, .mdbackup, .hvpl, .ptx, .map, .dcr, .sav, .sidd, .arw, .forge, .wp4, .vcf, .hkx, .litemod, .wp5, .qdf, .jpg, .p7c, .rwl, .hkdb, .xpm, .dbf, .ods, .wbm, .kdc, .docx, .xlsb, .raf, .txt, .y, .0, .xlsx, .p7b, .pst, .xlgc, .1st, .yml, .w3x, .re4, .wmv, .xdb, .icxs, .wbmp, .xwp, .3fr, .iwd, .hplg, .orf, .bik, .wb2, .wdp, .wn, .xmind, .dmp, .gho, .xll, .mov, .ff, .pem, .big, .srf, .mp4, .pdd, .wpt, .mdf, .qic, .x3f, .wpg, .wma, .xmmap, .dazip, .wcf, .layout, .xbplate, .asset, .odp, .rar, .d3dbsp, .zi, .snx, .avi, .sr2, .pef, .epk, .x3f, .ybk, .zip, .wpd, .wsh, .xx, .wav, .raw, .m2, .sum, .bkf, .wps, .db0, .syncdb, .fpk, .sie, .xxx, .wpe, .wbc, .1, .wpl, .itdb, .psd, .css, .xar, .xls, .cas, .zif, .dba, .desc, .pak, .vdf, wallet, .wp7, .odt, .r3d, .wgz, .kf, .csv, .ppt, .py, .crw, .slm, .bkp, .dxg, .wmv, .xlsm, .mef, .3ds, .ws, .tax, .menu, .ysp, .xlsx, .mpqge, .rw2, .bar, .3dm, .upk, .das, .wsc, .sidn, .wire, .wbk, .x, .ntl, .esm, .itl, .xml, .mcmeta, .z3d, .sid, .crt, .zip, .sis, .odm, .wot, .itm, .wp6, .zw, .iwi, .odc, .apk, .2bp, .rofl, .bay, .js, .wsd, .der, .pptx, .xls, .lrf, .vpp_pc, .ztmp, .xlsm, .bc6, .nrw, .arch00
When the virus encrypts a file, it will append the .[mrpeterson@cock.li].GFS extension to every encrypted file. Once the virus finished enciphering of all personal files, it will create a file named “HOW TO RECOVER ENCRYPTED FILES.TXT” with ransom instructions on how to decrypt all photos, documents and music. You can see an one of the variants of the ransomnote below:
GEFEST RANSOMWARE
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.
There is only one way to get your files back: contact with us, pay, and get decryptor software.
We accept Bitcoin, and other cryptocurrencies, you can find exchangers on bestbitcoinexchange.io
You have unique idkey , write it in letter when contact with us.
Also you can decrypt 1 file for test, its guarantee what we can decrypt your files.
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Contact information:
primary email: mrpeterson@cock.li
reserve email: debora2019@airmail.cc
Your unique idkey:
Unfortunately, there is no way for victim’s to decrypt documents, photos and music for free. In the tutorial below, I have outlined few methods that you can use to remove .GFS ransomware from your computer and restore .GFS files from a shadow volume copies or using file recover programs.
Quick links:
- How to remove .GFS ransomware
- How to decrypt .GFS files
- How to restore .GFS files
- How to protect your computer from .GFS ransomware?
- To sum up
How to remove .GFS ransomware
There are not many good free anti malware applications with high detection ratio. The effectiveness of malware removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern malware, adware, ransomware viruses and other potentially unwanted software. We suggest to run several applications, not just one. These programs that listed below will help you get rid of all components of the .GFS ransomware from your disk and Windows registry.
Use Zemana Anti-malware to delete .GFS ransomware
Zemana Anti-malware is a tool that can delete ransomware viruses, adware, potentially unwanted applications, hijacker infections and other malware from your personal computer easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of computer resources.
Visit the following page to download Zemana Anti Malware (ZAM). Save it to your Desktop so that you can access the file easily.
164027 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is finished, close all windows on your personal computer. Further, run the install file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as shown on the image below, press the “Yes” button.
It will show the “Setup wizard” that will allow you install Zemana AntiMalware on the system. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, Zemana AntiMalware (ZAM) will automatically launch and you can see its main window as displayed in the figure below.
Next, click the “Scan” button for scanning your PC for the .GFS ransomware virus and other malware. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your PC system. While the Zemana Anti Malware utility is checking, you can see how many objects it has identified as being affected by malicious software.
When that process is complete, you will be opened the list of all detected items on your personal computer. Review the scan results and then click “Next” button.
The Zemana will remove .GFS ransomware virus and other malicious software. Once the clean up is done, you can be prompted to reboot your PC.
Use MalwareBytes Anti Malware to remove GFS ransomware virus
We advise using the MalwareBytes Anti Malware (MBAM). You can download and install MalwareBytes Free to look for and remove GFS ransomware virus from your PC system. When installed and updated, this free malware remover automatically finds and removes all threats exist on the machine.
- Download MalwareBytes Anti Malware (MBAM) on your MS Windows Desktop from the following link.
Malwarebytes Anti-malware
326379 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web-browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- When the download is done, please close all programs and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
- This will open the “Setup wizard” of MalwareBytes onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti Malware will start and display the main window.
- Further, press the “Scan Now” button to perform a system scan for the GFS ransomware virus and other security threats. This task can take quite a while, so please be patient.
- After the system scan is finished, MalwareBytes Free will show a scan report.
- When you’re ready, click the “Quarantine Selected” button. After the process is finished, you may be prompted to restart the machine.
- Close the Anti Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Use KVRT to delete .GFS ransomware virus from the computer
KVRT is a free portable program that scans your PC system for malware and ransomware like the .GFS ransomware and allows remove them easily. Moreover, it will also allow you remove any harmful web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the following link. Save it on your Microsoft Windows desktop or in any other place.
129054 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is finished, double-click on the KVRT icon. Once initialization process is done, you’ll see the KVRT screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button . KVRT utility will start scanning the whole computer to find out .GFS ransomware virus and other malware. A system scan may take anywhere from 5 to 30 minutes, depending on your system. When a malware, adware or potentially unwanted apps are found, the number of the security threats will change accordingly. Wait until the the scanning is done.
Once that process is done, KVRT will display a list of all threats detected by the scan like below.
All found items will be marked. You can remove them all by simply click on Continue to start a cleaning task.
How to decrypt .GFS files
The .GFS ransomware encourages victim to contact it’s creators in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the authors of the .GFS ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
Free malicious software removal tools listed in this blog post can detect and remove ransomware virus and prevent any further damage. After that you can restore encrypted personal files from their Shadow Copies or using file recover tool.
How to restore .GFS files
In some cases, you can recover files encrypted by .GFS ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Run ShadowExplorer to restore .GFS files
In order to recover .GFS documents, photos and music encrypted by the .GFS ransomware virus from Shadow Volume Copies you can run a tool named ShadowExplorer. We advise to use this way as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
ShadowExplorer can be downloaded from the following link. Save it on your Microsoft Windows desktop.
438655 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is complete, extract the downloaded file to a folder on your computer. This will create the necessary files as on the image below.
Launch the ShadowExplorerPortable program. Now choose the date (2) that you wish to restore from and the drive (1) you want to recover files (folders) from as shown in the following example.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as displayed on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Restore .GFS files with PhotoRec
Before a file is encrypted, the .GFS ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file recover software like PhotoRec.
Download PhotoRec on your PC from the link below.
After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will display a screen as on the image below.
Select a drive to recover as displayed below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown in the figure below.
Click File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to choose where recovered files should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where restored files are stored. You will see a contents as displayed on the image below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from .GFS ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .GFS ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows OS from Windows XP to Windows 10.
Please go to the link below to download HitmanPro Alert. Save it on your Windows desktop or in any other place.
Once the downloading process is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is opened, you’ll be displayed a window where you can choose a level of protection, as shown in the following example.
Now press the Install button to activate the protection.
To sum up
Now your computer should be free of the .GFS ransomware. Uninstall MalwareBytes and KVRT. We advise that you keep Zemana (to periodically scan your computer for new malware). Make sure that you have all the Critical Updates recommended for Microsoft Windows OS. Without regular updates you WILL NOT be protected when new ransomware virus, malicious apps and adware software are released.
If you are still having problems while trying to get rid of .GFS ransomware from your personal computer, then ask for help here.
