Computer security specialists discovered a new variant of ransomware which named ‘Godes file virus‘. It appends the .godes file extension to encrypted file names.
“Godes virus” ransom note
The Godes file virus was developed by attackers to encrypt various files on the user’s computer, using a complex encryption algorithm AES-RSA, which makes it impossible for the user to independently unlock the affected files that have received .godes extension. Locked files become unusable and the user has no choice but to pay cyber frauds the amount of money they indicate in the ransom note and which is $980. After the transfer of this amount, the scammers promise to send the user a unique tool for unlocking files, which is a special code key.
Text presented in the Godes ransom message:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-WbgTMF1Jmw
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
Godes file virus is not the only development of the STOP family, for some of them (Lokas, Cezor), there are already ways to decrypt locked files that were developed by Michael Gillespie. This gives hope that a unique decryption tool can be found for this code as well. However, since each case of coding is original, users should seek help and provide an identifier that will give the opportunity to get the key and free decryption tool (look for more info below).
Threat Summary
| Name | Godes |
| Type | Filecoder, Ransomware, Crypto virus, Crypto malware, File locker |
| Encrypted files extension | .godes |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Encrypted photos, documents and music. Windows Explorer displays a blank icon for the file type. Your file directories contain a ‘ransom note’ file that is usually a .txt file. |
| Distribution methods | Malicious spam (also known as ‘malspam’). Drive-by downloads (crypto malware is able to infect the personal computer simply by visiting a web site that is running harmful code). Social media posts (they can be used to trick users to download malicious software with a built-in ransomware downloader or click a suspicious link). Remote desktop protocol (RDP) hacking. |
| Removal | Godes ransomware removal guide |
| Decryption | Godes decryption steps |
Quick links
- How to remove Godes ransomware virus
- How to decrypt .godes files
- How to restore .godes files
- How to protect your machine from Godes crypto malware?
- Finish words
How to remove Godes ransomware virus
The following instructions will help you to remove Godes ransomware virus and other malware. Before doing it, you need to know that starting to remove crypto malware, you may block the ability to decrypt documents, photos and music by paying creators of the crypto virus requested ransom. Zemana Anti-malware, Kaspersky virus removal tool and other tools listed below can detect different types of active ransomware and easily uninstall it from your PC, but they can not recover encrypted documents, photos and music.
Remove Godes file virus with Zemana Anti-Malware (ZAM)
Zemana Anti-Malware is a malicious software scanner that is very useful for detecting and uninstalling Godes ransomware virus. The steps below will explain how to download, install, and use Zemana Anti Malware (ZAM) to scan your computer and remove ransomware, worms, adware, trojans, malicious software, spyware for free.
Download Zemana by clicking on the following link.
164986 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the downloading process is done, close all programs and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup such as the one below.
When the installation starts, you will see the “Setup wizard” which will allow you set up Zemana on your computer.
Once installation is done, you will see window as on the image below.
Now click the “Scan” button to perform a system scan for the Godes file virus, other kinds of potential threats like malware and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system. When a malicious software, adware or potentially unwanted software are detected, the number of the security threats will change accordingly.
As the scanning ends, a list of all items found is produced. Review the report and then click “Next” button.
The Zemana Anti-Malware will remove Godes ransomware, other kinds of potential threats like malicious software and trojans.
Use KVRT to remove Godes ransomware
KVRT is a free removal utility that can be downloaded and use to remove ransomware, adware, malware, trojans, worms and other threats from your system. You can use this utility to find threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to search for Godes crypto virus and other malware. This task can take quite a while, so please be patient. While the KVRT program is scanning, you can see number of objects it has identified as threat.
After Kaspersky virus removal tool has finished scanning, KVRT will show a list of found threats as shown on the screen below.
Review the scan results and then press on Continue to begin a cleaning procedure.
How to decrypt .godes files
You can damage files that blocked by the Godes ransomware, or make them useless forever if you try to decrypt them without proper code key, which is almost impossible in view of its cryptographic complexity. It is very important to know and understand the level of importance of constantly backing up important files to various media, such as a USB drive, so that in case of damage to your computer by malicious programs you can always extract a copy of corrupted files.
Most users, wishing to restore access to blocked files, pay the ransom amount of money to cybercriminals. However, it is important to remember before performing this action that you are interacting with unscrupulous and dishonest people, and the probability that after transferring money they will not provide you with a code key to unlock files or increase the amount of ransom is high enough. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
With some variants of Godes ransomware, it is possible to decrypt encrypted files using free tools.
Michael Gillespie (@) released the Godes decryption tool named STOPDecrypter. It can decrypt .Godes files if they were encrypted by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
Godes decryption tool
STOPDecrypter is a program that can be used for Godes files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .godes files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, run STOPDecrypter. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .godes files, in some cases, you have a chance to recover your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .godes files
In some cases, you can recover files encrypted by Godes crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Restore .godes encrypted files using Shadow Explorer
In some cases, you have a chance to restore your files which were encrypted by the Godes crypto virus. This is possible due to the use of the utility called ShadowExplorer. It is a free application that designed to obtain ‘shadow copies’ of files.
First, click the following link, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
439625 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Double click ShadowExplorerPortable to launch it. You will see the a window as displayed in the following example.
In top left corner, select a Drive where encrypted personal files are stored and a latest restore point such as the one below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as shown on the screen below.
Restore .godes files with PhotoRec
Before a file is encrypted, the Godes ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore software such as PhotoRec.
Download PhotoRec on your MS Windows Desktop by clicking on the following link.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen like the one below.
Select a drive to recover as shown below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as on the image below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored personal files should be written, then click Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your machine from Godes crypto malware?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your system from Godes crypto malware
All-in-all, HitmanPro.Alert is a fantastic utility to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from Windows XP to Windows 10.
HitmanPro Alert can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
After the downloading process is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is opened, you’ll be displayed a window where you can choose a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
Now your computer should be free of the Godes crypto malware. Uninstall MalwareBytes Free and KVRT. We recommend that you keep Zemana AntiMalware (ZAM) (to periodically scan your PC for new malware). Make sure that you have all the Critical Updates recommended for MS Windows operating system. Without regular updates you WILL NOT be protected when new ransomware virus, malicious software and adware are released.
If you are still having problems while trying to delete Godes ransomware from your computer, then ask for help here.
thanks buddy you save my files from godes virus infection. thank you so much brother allah bless you