What is GTF file
.[grandtheftfiles@aol.com].GTF is a file extension that uses a new malware belonging to the Crysis/Dharma ransomware family to mark files that have been encrypted. Ransomware is a malicious program that encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. Ransomware uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. Files encrypted with .[grandtheftfiles@aol.com].GTF extension become useless, their contents cannot be read without the key that the criminals have.
What is GTF ransomware virus
GTF virus is one of the variants of Dharma/Crysis ransomware. This malware most often gets to the computer as part of other programs (torrents files, freeware, cracked apps and games) that have been downloaded by the user from the Internet. After its start, the virus begins to encrypt files using a key that is individual for each computer. GTF virus uses a very strong encryption system, which eliminates the possibility of determining the key, even using a super computer. The encryption process is very fast, regardless of what is in the file, the virus can easily encrypt it. GTF can encrypt almost all files that are on the computer, including those located on network drives. The only thing that the virus does not encrypt is the files that are necessary for the Windows OS to function normally. Below we list the types of files that can be encrypted by the ransomware.ted:
.dcr, .epk, .rwl, .litemod, .wav, .dbf, .crt, .mdb, .big, .fos, .zi, .itdb, .wp4, .psk, .ltx, .rw2, .xlk, .sb, .pfx, .dazip, .apk, .ncf, .rb, .map, .zdc, .vpk, .sr2, .xlsm, .pak, .hkdb, .bkf, .gdb, .rar, .rtf, .7z, .p12, .x3f, .pst, .rofl, .wmf, .sum, .asset, .wp7, .kdc, .upk, .ntl, .bay, .cas, .xyw, .pptm, .pdd, .d3dbsp, .py, .xdb, .p7b, .jpeg, .xls, .srf, .wsc, .sidd, .layout, .zdb, .wdb, .mddata, .lrf, .xf, .wpd, .wpt, .z, .sie, .wpw, .slm, .bkp, .m4a, .1, .wmv, .webp, .dmp, .mp4, .wpg, .dxg, .icxs, .syncdb, .x, .pkpass, .qic, .m2, .mov, .vfs0, .p7c, .mcmeta, .forge, .bc6, .crw, .wsh, .wpb, wallet, .wbd, .hkx, .xbdoc, .w3x, .yal, .rim, .wm, .xyp, .vtf, .arw, .zip, .xxx, .xx, .fpk, .xmind, .wmo, .iwd, .wcf, .wb2, .mrwref, .odb, .GTF, .webdoc, .sid, .xar, .docx, .wbz, .db0, .hplg, .orf, .itm, .t13, .csv, .kf, .wma, .sidn, .xls, .odt, .cer, .wmd, .wma, .odc, .xlsx, .fsh, .blob, .vpp_pc, .xwp, .esm, .js, .raw, .x3f, .3ds, .wp, .wn, .mdf, .wpl, .menu, .wire, .dng, .wps, .kdb, .wps, .odp, .tor, .ws, .ppt, .txt, .bar, .wp6, .der, .raf, .eps, .jpe, .wp5, .cdr, .sis, .vcf, .css, .wbm, .xml, .wsd, .pem, .wpe, .vdf, .zabw, .r3d, .mef, .xlsm, .3fr, .lbf, .sav, .wri, .bik, .flv, .nrw, .bc7, .xmmap, .0, .dwg, .m3u, .sql, .ysp, .png, .gho, .y, .xbplate, .xpm, .jpg, .xlsx, .dba, .t12, .doc, .das, .cfr, .wpd, .3dm, .indd, .desc, .ztmp, .wot, .tax, .ybk, .qdf, .re4, .xdl, .ff, .avi, .cr2, .z3d, .yml, .1st, .mlx, .bsa, .xll, .mpqge, .2bp, .hvpl, .wbc, .x3d, .wpa, .wdp, .svg, .iwi, .psd, .wmv, .zw, .wotreplay, .xy3, .lvl, .xld, .itl, .rgss3a, .arch00, .xlgc, .pptx
When the file is encrypted, ‘.id-USERID.[EMAIL-ADDRESS].GTF’ is added at the end of its name, that is, if you had a file of ‘document.docx’, then a file with the name ‘document.docx.id-USERID.[EMAIL-ADDRESS].GTF’ will appear in its place. If you change the file name, just delete the added extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
Perhaps you found on your computer or its desktop a new file called ‘FILES ENCRYPTED.txt’, which for some reason is not encrypted. An example of such a file is given below.
all your data has been locked us
You want to return?
write email grandtheftfiles@aol.com or grandtheftfiles@cock.l
This file is very important, in addition to containing a ransom demand, it also contains information that allows you to contact intruders. According to the message, the victim is invited to contact the attackers using the given email address. In response, the authors of the virus will give a Bitcoin address to which the ransom must be transferred. Of course, you should understand that there is no guarantee that the attackers, after receiving the ransom, will provide you with the key necessary to decrypt your files. In addition, by paying the ransom, you will push attackers to create a new ransomware.
Threat Summary
Name | GTF ransomware virus |
Type | File locker, Filecoder, Crypto malware, Crypto virus, Ransomware |
Encrypted files extension | .[grandtheftfiles@aol.com].GTF |
Ransom note | FILES ENCRYPTED.txt |
Contact | grandtheftfiles@aol.com, grandtheftfiles@cock.li |
Ransom amount | $500-$1500 in Bitcoins |
Detection Names | Trojan/Win32.Crysis.R213980, Ransom:Win32/Crusis.7e10d735, Trojan.Ransom.Crysis.E, Win32:RansomX-gen [Ransom], Ransom.Crysis.A3, TrojWare.Win32.Crysis.D@6sd9xy, Trojan.Encoder.3953, Win32.Trojan-Ransom.VirusEncoder.A, Trojan-Ransom.Win32.Crusis.to |
Symptoms | Your files fail to open. Your personal files now have odd extensions that end with something like .locked, .crypted or .cryptor. Files named such as ‘FILES ENCRYPTED.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
Distribution methods | Phishing emails that contain malicious attachments. Drive-by downloading (when a user unknowingly visits an infected web page and then malware is installed without the user’s knowledge). Social media, like web-based instant messaging programs. Cybercriminals use misleading ads to distribute malware with no user interaction required. |
Removal | GTF ransomware removal guide |
Recover encrypted files | GTF file recovery steps |
As we have already said, GTF virus is not the first in its series. The fact that to date, antivirus companies have not created a way to decrypt files, and just have not found a 100% way to protect the user’s computers (otherwise how would you be on our site), indicates the complexity of the virus and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to find and remove GTF ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove GTF virus & Restore .[grandtheftfiles@aol.com].GTF files
If you encounter the malicious actions of GTF virus, and your files have been encrypted with ‘.[grandtheftfiles@aol.com].GTF’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the virus removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to add that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
How to remove GTF ransomware virus
To remove the GTF virus, we recommend using free malware removal tools, which we will consider below. You can use them in the same sequence as we gave, or in the order as you like. Perhaps you think that this virus can be removed manually by using some magic OS functions or by pressing a few keys. Probably a professional or computer specialist with great knowledge will be able to, but I recommend you use malware removal tools. They will do all the work for you, and most importantly they will prevent damage to system files that you might accidentally do. Of course, if you have an antivirus, you can use it first, but if it missed this ransomware, then your trust in it is greatly undermined.
Remove GTF ransomware with Zemana Anti Malware
Zemana Anti Malware is a free malicious software removal utility. Currently, there are two versions of the utility, one of them is free and second is paid (premium). The principle difference between the free and paid version of the utility is real-time protection module. If you just need to scan your computer for malware and remove GTF ransomware related folders,files and registry keys, then the free version will be enough for you.
- First, please go to the link below, then press the ‘Download’ button in order to download the latest version of Zemana.
Zemana AntiMalware
164103 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- After the download is done, close all software and windows on your personal computer. Open a folder in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once install is finished, click the “Scan” button to perform a system scan for the GTF ransomware and other security threats. During the scan Zemana Free will look for threats present on your computer.
- When Zemana Anti-Malware (ZAM) completes the scan, Zemana Anti Malware will display you the results. Once you have selected what you wish to delete from your personal computer click “Next”. When finished, you can be prompted to reboot your system.
Remove GTF with MalwareBytes AntiMalware
We suggest using the MalwareBytes Anti Malware. You can download and install MalwareBytes to scan for and remove GTF virus from your PC system. When installed and updated, this free malicious software remover automatically searches for and removes all threats present on the system.
- Visit the page linked below to download the latest version of MalwareBytes for Microsoft Windows. Save it on your Microsoft Windows desktop or in any other place.
Malwarebytes Anti-malware
326457 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When downloading is finished, close all software and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once install is complete, press the “Scan Now” button to begin checking your personal computer for the GTF crypto virus, other malware, worms and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your system. When a malicious software, adware software or potentially unwanted apps are found, the number of the security threats will change accordingly.
- As the scanning ends, it will open the Scan Results. All detected items will be marked. You can remove them all by simply click “Quarantine Selected”. After finished, you may be prompted to restart your PC.
The following video offers a few simple steps on how to remove browser hijackers, adware software and other malware with MalwareBytes AntiMalware.
Run KVRT to delete GTF ransomware virus
Kaspersky virus removal tool (KVRT) is free and easy to use. It can scan and delete crypto malware, spyware, PUPs, worms, trojans, adware and other malware. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the Kaspersky virus removal tool screen as displayed below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for scanning your computer for the GTF crypto virus and other known infections. This procedure can take quite a while, so please be patient. While the Kaspersky virus removal tool utility is scanning, you can see how many objects it has identified as being affected by malware.
When that process is complete, KVRT will show you the results such as the one below.
All detected threats will be marked. You can remove them all by simply press on Continue to start a cleaning task.
How to decrypt .[grandtheftfiles@aol.com].GTF files
All files with the ‘.[grandtheftfiles@aol.com].GTF’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. Unfortunately, as we already reported in this article, there is currently no way to decrypt files. The reason for this is the complexity of the encryption algorithm that the authors of GTF virus use. In principle, this is what the attackers sought. But this does not mean that you have no choice and you need to pay a ransom for your files.
Never pay the ransom! Any security expert will tell you this. Of course, there is a chance that by paying a ransom, GTF virus authors will allow you to unlock your files, but there is no guarantee. Moreover, you should understand that when you pay a ransom, you unknowingly push the attackers to create new, even more destructive viruses.
Do not forget that besides you, thousands more people around the world have lost their files, that is, you are not alone. Antivirus companies, secuity experts are working on something that will allow you to decrypt .[grandtheftfiles@aol.com].GTF files. Perhaps in the future an universal method will be developed that will allow all victims to unlock all their data.
Of course, as soon as a way to decrypt the files appears, we will post a message about this to this article or to our facebook account. Therefore, we recommend that you follow the updates.
How to restore .[grandtheftfiles@aol.com].GTF files
As we wrote above, you cannot decrypt files encrypted with this virus. But you can use a different way, there is a small chance to restore .[grandtheftfiles@aol.com].GTF files without decrypting them. Programs created for searching and recovering lost and deleted data can help you with this. We offer you to use the following free programs: PhotoRec and ShadowExplorer. Only two things that I want to say additionally. First, before restoring files, you must be 100% sure that there is no ransomware on the computer. We recommend using free malware removal tools that we examined in this article. Second, and what is very important! The less you use your computer after ransomware infection, the higher the chance that you will be able to recover encrypted files.
Restore .[grandtheftfiles@aol.com].GTF files using Shadow Explorer
First of all, try to recover your files using a free tool called ShadowExplorer. This program will allow you to recover your files from Shadow Volume Copies. These copies are created automatically by the OS when you work with your files. Unfortunately, very often, the virus automatically deletes all these copies and thus prevents the user from recovering exnrypted files. Nevertheless, in some cases, the ransomware cannot delete all copies, and the user gets the opportunity to quickly restore all files. Therefore, our opinion, you should definitely try this method!
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your Windows Desktop from the following link.
438805 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed on the screen below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point similar to the one below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as on the image below.
Use PhotoRec to restore .[grandtheftfiles@aol.com].GTF files
Another really working way to recover your encrypted files is to use a program named PhotoRec. It is created to recover deleted or lost files. Does the virus block this method? Fortunately, the GTF virus cannot block it in any way. Why is this possible you ask. This is possible for the reason that when you delete files using the standard OS function, these files are not actually deleted. Just the Windows marks them as deleted and does not show them in the list of files. The program that we suggest you use, finds deleted files, including files that were deleted by the ransomware, and recovers them.
Download PhotoRec on your computer by clicking on the following link.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder such as the one below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll show a screen as on the image below.
Choose a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed in the figure below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where recovered personal files should be written, then press Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as shown in the figure below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from GTF crypto malware
Most antivirus programs already have built-in protection system against the crypto malware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Click the following link to download the latest version of HitmanPro.Alert for Windows. Save it to your Desktop so that you can access the file easily.
When downloading is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is opened, you will be displayed a window where you can select a level of protection, as shown in the following example.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of GTF ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to recover .[grandtheftfiles@aol.com].GTF files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with GTF related issues, go to here.