A new variant of ransomware virus has been discovered by IT security experts. It appends the .GEFEST file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware.
The .GEFEST Ransomware is a malware, which created to encrypt the files found on infected PC system using a strong encryption algorithm with 2048-bit key, appending the .GEFEST file extension to all encrypted documents, photos and music. It can encrypt almost types of files, including the following:
.srf, .wsc, .wpe, .csv, .sidn, .asset, .wav, .xar, .xyw, .zif, .rgss3a, .xxx, .py, .z3d, .desc, .docm, .xmmap, .bay, .bsa, .7z, .wbm, .1st, .hkx, .xlsb, .t12, .jpg, .zw, .wdb, .cr2, .wbk, .rwl, .d3dbsp, .zip, .litemod, .wri, .wps, .sb, .sis, .wn, .qdf, .arch00, .wb2, .rofl, .ztmp, .vpk, .iwi, .xlsx, .iwd, .cas, .wire, .p12, .wpd, .avi, .odm, .crt, .svg, .der, .jpe, .bar, .ptx, .rtf, .pdf, .mpqge, .xll, .m2, .3dm, .xf, .wpl, .wpd, .wpt, .icxs, .wp7, .y, .kdc, .z, .xls, .wps, .map, .orf, .db0, .lrf, .xlsm, .wotreplay, .wmf, .itl, .0, .bkf, .apk, .indd, .1, .doc, .kf, .mddata, .forge, .hvpl, .epk, .ws, .pdd, .dmp, .ai, .yal, .yml, .wmv, .xdl, .wmo, .mlx, .vdf, .dwg, .dng, .zdc, .bc6, .ntl, .xlk, .sidd, .ppt, .re4, .pem, .pptx, .wpw, .xwp, .vfs0, .fsh, .hkdb, .cer, .wsd, .bik, .erf, .zabw, .sr2, .itm, .wdp, .x3d, .ncf, .fpk, .dazip, .wbmp, .tax, .mef, .mrwref, .rw2, .t13, .xlsx, .psk, .wpg, .odc, .pfx, .docx, .blob, .das, .mcmeta, .pkpass, .zi, .xdb, .pptm, .x, .wbc, .raf, .wbz, .2bp, .3fr, .zdb, .xbplate, .wsh, .snx, .m3u, .odb, .pst, .sav, .wp6, .bkp, .ff, .flv, .webdoc, .xls, .wpb, .lbf, .fos, .mdbackup, .cfr, .hplg, .p7b, .qic, .png, .wmv, .vtf, .p7c, .xyp, .dcr, .sum, .m4a, .ods, .zip, .3ds
Once a file is encrypted, its extension changed to .GEFEST. Next, the virus creates a file called ‘HOW TO RECOVER ENCRYPTED FILES.TXT’. This file contain a guide on how to decrypt all encrypted documents, photos and music. You can see an one of the variants of the ransomnote below:
GEFEST 3.0 RANSOMWARE
Your files has been encrypted using RSA2048 algorithm with unique public-key stored on your PC.
There is only one way to get your files back: contact with us, pay, and get decryptor software.
We accept Bitcoin, and other cryptocurrencies, you can find exchangers on bestbitcoinexchange.io
You have unique idkey , write it in letter when contact with us.
Also you can decrypt 1 file for test, its guarantee what we can decrypt your files.
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
primary email: email@example.com
reserve email: firstname.lastname@example.org
Your unique idkey:
We advise you to remove .GEFEST Ransomware virus as quickly as possible, until the presence of the virus has not led to even worse consequences. You need to follow the step-by-step guide below that will help you to completely remove .GEFEST Ransomware virus from your system as well as restore encrypted files, using only few free utilities.
Table of contents
- How to remove .GEFEST ransomware virus
- How to decrypt .GEFEST files
- How to restore .GEFEST files
- How to protect your PC from .GEFEST Ransomware
How to remove .GEFEST ransomware virus
Even if you’ve the up-to-date classic antivirus installed, and you’ve checked your computer for ransomwares and removed anything found, you need to do the tutorial below. The .GEFEST ransomware virus removal is not simple as installing another antivirus. Classic antivirus applications are not designed to run together and will conflict with each other, or possibly crash MS Windows. Instead we advise complete the steps below an run Zemana Anti-malware, Malwarebytes or Kaspersky Virus Removal Tool, which are free applications dedicated to look for and remove malicious software such as the .GEFEST Ransomware virus. Use these tools to ensure the ransomware is removed.
Automatically delete .GEFEST ransomware virus with Zemana Anti-malware
We suggest using the Zemana Anti-malware that are completely clean your machine of the ransomware virus. The tool is an advanced malware removal program created by (c) Zemana lab. It is able to help you remove ransomware, malware, trojans, and other security threats from your machine for free.
Installing the Zemana Anti Malware is simple. First you will need to download Zemana Free by clicking on the link below.
Author: Zemana Ltd
Category: Security tools
Update: March 3, 2018
Once the downloading process is complete, start it and follow the prompts. Once installed, the Zemana AntiMalware (ZAM) will try to update itself and when this task is finished, press the “Scan” button to perform a system scan with this tool for the .GEFEST ransomware virus and other kinds of potential threats.
A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your system. When a threat is detected, the number of the security threats will change accordingly. Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana Anti-Malware will remove .GEFEST ransomware virus and add items to the Quarantine.
How to automatically remove .GEFEST Ransomware with MalwareBytes
We suggest using the MalwareBytes Free that are completely clean your PC system of the ransomware. This free utility is an advanced malicious software removal program designed by (c) Malwarebytes lab. This application uses the world’s most popular antimalware technology. It is able to help you delete virus, PUPs, malware, adware, toolbars, and other security threats from your computer for free.
Installing the MalwareBytes Anti-Malware is simple. First you will need to download MalwareBytes from the link below. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: February 5, 2019
After downloading is done, close all apps and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as displayed on the image below.
When the install starts, you’ll see the “Setup wizard” that will help you set up Malwarebytes on your PC.
Once setup is finished, you’ll see window as on the image below.
Now press the “Scan Now” button to find out the .GEFEST ransomware virus related files, folders and registry keys. This task can take some time, so please be patient. When a threat is found, the number of the security threats will change accordingly.
As the scanning ends, MalwareBytes will show a list of all items detected by the scan. All found items will be marked. You can remove them all by simply press “Quarantine Selected” button.
The Malwarebytes will now remove .GEFEST Ransomware virus related files, folders and registry keys and add threats to the Quarantine. When the process is finished, you may be prompted to reboot your computer.
The following video explains steps on how to delete browser hijacker, adware and other malware with MalwareBytes.
If the problem with .GEFEST ransomware virus is still remained
KVRT is a free portable application that scans your system for malware, trojans and viruses like the .GEFEST Ransomware and helps get rid of them easily. Moreover, it’ll also allow you delete any malicious web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for checking your machine for the .GEFEST ransomware virus and other trojans and harmful software. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. When a malicious software, ad supported software or potentially unwanted software are found, the count of the security threats will change accordingly. Wait until the the scanning is complete.
Once that process is done, KVRT will show a list of detected items as on the image below.
Once you have selected what you want to remove from your personal computer press on Continue to start a cleaning task.
How to decrypt .GEFEST files
The ransomnote encourages victim to contact .GEFEST Ransomware’s creators via email@example.com and firstname.lastname@example.org emails in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the creators of the .GEFEST Ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to restore your documents, photos and music for free using free utilities like the ShadowExplorer and PhotoRec.
How to restore .GEFEST files
In some cases, you can recover files encrypted by .GEFEST ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .GEFEST encrypted files using Shadow Explorer
In some cases, you have a chance to restore your files which were encrypted by the .GEFEST Ransomware virus. This is possible due to the use of the utility named ShadowExplorer. It is a free program which designed to obtain ‘shadow copies’ of files.
ShadowExplorer can be downloaded from the following link. Save it on your Desktop.
Category: Security tools
Update: February 27, 2018
Once the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed in the following example.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point as shown below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export like below.
Use PhotoRec to restore .GEFEST files
Before a file is encrypted, the .GEFEST ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore apps such as PhotoRec.
Download PhotoRec by clicking on the link below.
Category: Security tools
Update: March 1, 2018
After the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as displayed below.
Select a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as shown below.
Click File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from .GEFEST Ransomware
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your PC from .GEFEST Ransomware virus
Download CryptoPrevent on your Microsoft Windows Desktop by clicking on the link below.
Run it and follow the setup wizard. Once the installation is finished, you’ll be displayed a window where you can select a level of protection, as displayed in the figure below.
Now click the Apply button to activate the protection.
To sum up
Now your machine should be clean of the .GEFEST ransomware virus. Remove MalwareBytes AntiMalware (MBAM) and KVRT. We recommend that you keep Zemana Free (to periodically scan your PC system for new malware). Moreover, to prevent virus, please stay clear of unknown and third party software, make sure that your antivirus application, turn on the option to block or search for ransomware.
If you need more help with .GEFEST ransomware virus related issues, go to here.