A new variant of ransomware virus has been discovered by cyber threat analysts. It appends the .gehad file extension to encrypted files. This ransomware targets computers running MS Windows by spam emails, malicious software or manually installing the ransomware. This blog post will provide you a brief summary of information related to this ransomware virus and how to restore (decrypt) encrypted documents, photos and music for free.
Files encrypted by Gehad ransomware
Once installed, the Gehad ransomware begins searching for attached disks and even networked drives containing documents, images, web application-related files, videos, archives, music and database. It is able to encrypt almost all types of files, including common as:
.1, .xlsm, .fos, .p7b, .ws, .xld, .wn, .xls, .fpk, .docm, .vcf, .zdb, .pem, .pst, .doc, .wma, .bc7, .wm, .desc, .dng, .hplg, .wri, .wpb, .blob, .wpl, .raf, .ibank, .sid, .vpp_pc, .x3d, .webp, .srf, .mov, .wbk, .kf, .css, .xlk, .raw, .pak, .crt, .ods, .xlgc, .bkp, .xbdoc, .crw, .avi, .hkdb, .cr2, .mp4, .ysp, .xf, .slm, .wbd, .wp6, .srw, .wbz, .wpd, .lrf, .vfs0, .wmv, .accdb, .m2, .layout, .pkpass, .hkx, .sie, .d3dbsp, .kdc, .ltx, .iwi, .odt, .bc6, .ybk, .wpw, .ff, .0, .xlsx, .wdp, .vpk, .t12, .lbf, .vtf, .tor, .xdb, .esm, .xar, .xyp, .3dm, .xpm, .orf, .wmv, .csv, .zip, .pfx, .qic, .wpa, .cfr, .py, .wcf, .wbc, .xwp, .wgz, .xls, .dazip, .wpt, .wb2, .xlsx, .ntl, .wma, .wsd, .p7c, .map, .wire, .3ds, .webdoc, .qdf, .y, .wp7, .rtf, .rim, .sidd, .zw, .xlsm, .z, .wav, .wsc, .dcr, .iwd, .pptm, .png, .snx, .wmd, .x, .rgss3a, .vdf, .psk, .1st, .wotreplay, .7z, .t13, .bay, .wbm, .wpg, .xll, .zdc, .m3u, .dwg, .xlsb, .rwl, .sql, .erf, .jpg, .itdb, .sav, .ptx, .mdbackup, .wps, .dbf, .wp5, .wbmp, .jpeg, .rb, .big, .der, .xxx, .x3f, .sidn, .lvl, .xyw, .zip, .tax, .rw2, .m4a, .wps, .js, .mdb, .xmind, .pdd, .dba, .xmmap, .menu, .bar, .wmf, .syncdb, wallet, .arw, .wpe, .xbplate, .mdf, .txt, .gho, .bkf, .p12, .ncf, .das, .yal, .rofl, .zi, .epk, .pef, .odb
With the encryption work done, all encrypted personal files will now have the new .gehad extension appended to them. Gehad ransomware drops a file called ‘_readme.txt’. This file contains a ransom note that is written in the English language. The ransom note directs victims to make payment to a cryptocurrency wallet in exchange for the keys needed to decrypt files.
Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-514KtsAKtH Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Gehad |
| Type | Filecoder, File locker, Ransomware, Crypto virus, Crypto malware |
| Encrypted files extension | .gehad |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Unable to open files. Odd, new or missing file extensions. Files named such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
| Distribution methods | Spam mails that contain malicious links. Drive-by downloading (when a user unknowingly visits an infected web site and then malicious software is installed without the user’s knowledge). Social media posts (they can be used to force users to download malicious software with a built-in ransomware downloader or click a misleading link). Torrent web pages. |
| Removal | To remove Gehad ransomware use the removal guide |
| Decryption | To decrypt Gehad ransomware use the steps |
In the tutorial below, I have outlined few methods that you can use to remove Gehad ransomware from your personal computer and restore .gehad files from a shadow volume copies or using file recover apps.
Quick links
- How to remove Gehad crypto virus
- How to decrypt .gehad files
- How to restore .gehad files
- How to protect your system from Gehad crypto virus?
- Finish words
How to remove Gehad crypto virus
There are not many good free antimalware applications with high detection ratio. The effectiveness of malicious software removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We suggest to run several applications, not just one. These applications that listed below will allow you uninstall all components of the Gehad ransomware from your disk and Windows registry.
How to remove Gehad ransomware virus with Zemana Free
Zemana Free is a malicious software scanner that is very effective for detecting and removing Gehad ransomware. The steps below will explain how to download, install, and use Zemana Free to scan your computer and remove ransomware, spyware, adware, malware, trojans, worms for free.
- Download Zemana Anti-Malware (ZAM) on your machine from the link below.
Zemana AntiMalware
164985 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- After the download is done, please close all applications and open windows on your PC system. Next, run a file named Zemana.AntiMalware.Setup.
- This will run the “Setup wizard” of Zemana Free onto your personal computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will start and show the main window.
- Further, click the “Scan” button for scanning your system for the Gehad ransomware virus related files, folders and registry keys. This procedure can take quite a while, so please be patient. While the Zemana program is scanning, you can see how many objects it has identified as threat.
- After the system scan is done, Zemana AntiMalware will prepare a list of unwanted apps and crypto virus.
- You may delete items (move to Quarantine) by simply click the “Next” button. The utility will uninstall Gehad ransomware virus related files, folders and registry keys. When the clean up is finished, you may be prompted to reboot the PC system.
- Close the Zemana and continue with the next step.
Remove Gehad virus with MalwareBytes
Get rid of Gehad ransomware virus manually is difficult and often the ransomware is not completely removed. Therefore, we recommend you to run the MalwareBytes Free which are fully clean your computer. Moreover, this free program will allow you to uninstall malware, potentially unwanted programs, toolbars and adware software that your machine may be infected too.
Please go to the link below to download MalwareBytes AntiMalware (MBAM). Save it on your Windows desktop or in any other place.
327224 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is finished, close all windows on your computer. Further, run the file named mb3-setup. If the “User Account Control” prompt pops up as displayed in the following example, click the “Yes” button.
It will show the “Setup wizard” that will allow you install MalwareBytes on the machine. Follow the prompts and do not make any changes to default settings.
Once setup is finished successfully, click Finish button. Then MalwareBytes AntiMalware will automatically launch and you can see its main window as displayed in the following example.
Next, click the “Scan Now” button to begin checking your machine for the Gehad crypto virus, other kinds of potential threats like malware and trojans. When a threat is found, the number of the security threats will change accordingly.
After MalwareBytes Free completes the scan, MalwareBytes Free will open a scan report. Review the report and then press “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) will uninstall Gehad crypto malware, other kinds of potential threats like malicious software and trojans and add items to the Quarantine. Once disinfection is finished, you can be prompted to restart your machine. We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes Free to delete browser hijackers, adware and other malicious software.
Use KVRT to remove Gehad ransomware virus
KVRT is a free removal utility that can scan your PC system for a wide range of security threats like the Gehad crypto virus, adware software, PUPs as well as other malicious software. It will perform a deep scan of your PC including hard drives and Microsoft Windows registry. After a malware is found, it will help you to remove all found threats from your computer with a simple click.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it to your Desktop so that you can access the file easily.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is finished, double-click on the KVRT icon. Once initialization procedure is complete, you will see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool tool will start scanning the whole system to find out Gehad crypto malware and other known infections. A system scan can take anywhere from 5 to 30 minutes, depending on your system. While the KVRT program is scanning, you may see how many objects it has identified as threat.
When the checking is complete, Kaspersky virus removal tool will open a screen which contains a list of malicious software that has been detected like below.
You may remove threats (move to Quarantine) by simply click on Continue to begin a cleaning task.
How to decrypt .gehad files
The encryption algorithm is so strong that it’s practically impossible to decrypt .gehad files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($980 in Bitcoins) makers of the Gehad ransomware virus for a copy of the private (encryption) key.
Should you pay the ransom? A majority of experienced security professionals will reply immediately that you should never pay a ransom if infected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all photos, documents and music!
Files encrypted by Gehad ransomware
With some variants of Gehad ransomware, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Gehad decryption tool named STOPDecrypter. It can decrypt .Gehad files if they were encrypted by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Gehad decryption tool
STOPDecrypter is a program that can be used for Gehad files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Gehad files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
How to restore .gehad files
In some cases, you can recover files encrypted by Gehad crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use ShadowExplorer to restore .gehad files
In order to restore .gehad files encrypted by the Gehad crypto malware from Shadow Volume Copies you can use a tool named ShadowExplorer. We recommend to use this method as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
First, click the link below, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
439623 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Launch the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Gehad ransomware as displayed on the image below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as displayed in the figure below.
Restore .gehad files with PhotoRec
Before a file is encrypted, the Gehad crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore apps such as PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop by clicking on the link below.
When the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as shown in the following example.
Choose a drive to recover such as the one below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as on the image below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where recovered personal files should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, press on Quit button. Next, open the directory where recovered files are stored. You will see a contents as on the image below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your system from Gehad crypto virus?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your machine from Gehad ransomware
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the following page to download the latest version of HitmanPro Alert for Microsoft Windows. Save it to your Desktop.
When downloading is complete, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is opened, you will be displayed a window where you can choose a level of protection, as shown in the following example.
Now click the Install button to activate the protection.
Finish words
After completing the step-by-step guide above, your PC should be free from Gehad crypto virus and other malicious software. Your PC will no longer encrypt your personal files. Unfortunately, if the step-by-step tutorial does not help you, then you have caught a new crypto malware, and then the best way – ask for help here.
If you are also suffered from the Ransomware attack, then I will suggest you consult with the article to get the required protection for the system.