Ghost ransomware - How to remove

Ghost ransomware might sound like a threat which would try its best to hide from the victim and stay invisible while still causing harm like typical ghosts, yet it’s not like that at all because the Ghost, that we are talking about, is a cryptovirus. In the malware world, such ransomware infections are inseparable from the Scareware characteristics, meaning that they use various very visual techniques to threaten its victims into paying the ransom, which is the main reason why developers created it.

Even though statistics showed, that with the rise of cryptocurrency miners slowly started replacing good old ransomware, like Ghost virus, because it is a more reliable way for crooks to generate profit, yet more crypto-demanding threat variants keep coming up causing troubles for gullible users. While Ghost ransomware seems to be made by malware amateurs rather than professionals, judging from certain features, it can still lock your precious digital memories and make them inaccessible even if you remove the virus.

Continue on reading this post, if you want to find out what methods 2-viruses.com team found to be most efficient and helpful for detecting and removing Ghost cryptovirus, restoring the encrypted files, as well as the important information about the ransomware, which will be useful for prevention in the future.

How does Ghost virus work

To make a long story short, Ghost ransomware is a type of malware that sneaks into computers, usually through infected email attachments, encrypts all the data, except for the important System files, and asks a compromised computer owner to buy the decrypting key. All crypto viruses behave the same and only a few features are different, like encrypting algorithms, added name extension, ransom note and demanded ransom amount.

Ghost cryptovirus specifically uses AES cipher to lock personal files, such as pictures, videos, music, documents, which it finds by their specific extension (e.g. .docx, .jpg, .png, .mp3 and etc.), then marks all of them by appending .Ghost string at the end of their names and drops a GUI format ransom note saying:

All your files have been encrypted



All your files have been encrypted. I have not deleted them yet.
To desencrypt 0.08116 bitcoin to the following address:
https://blockchain.info/payment_request?address = 1N7AmqH12EN3yAkVMPB5rZoVX758jgLbzj & amount_local = 500 & currency = USD & nosavecurrency = true & message = Pay% 20me!

Them, send a mail to [email protected] with your CODE ID.

I’m sorry for the inconvenience caused.

The reason why Ghost virus locks only personal files is that they are more valuable for the victim, therefore this causes more stress and desire to get them back at all costs, in addition to that, the user is still able to use the same computer to contact the hackers and send requested anonymous cryptocurrency. As for the extension, it is just another technique to show off for compromising the system and scaring victims even more. But paying hackers is Never a good idea.

Ghost ransomware was first mentioned on Twitter by @malwrhunterteam in mid-November, 2018, and then thoroughly researched by other malware experts as well. Cybersecurity professionals noticed that while the ransom note demands for 0.08116 BTC, the Blockchain payment link requested a different amount of 0.10692946 BTC and this was not the only mistake. It was noted that Ghost ransomware code contained several Spanish strings and used Gmail as its contact address (which does not provide much anonymity). These few signs together with the simplest, yet fastest AES algorithm, gave away that developers behind Ghost virus most likely are new in the malware business. More technical details on VirusTotal.com.

These characteristics mean a lot for ransomware analysts, which are trying to solve this Ghost ransomware issue but are completely irrelevant for victims who are really worried about their files, which despite the crooks’ mistakes are still unavailable. Luckily, this notorious virus can be removed with a probability to get back the data. While the Official decryptor is still in development, read further to see other possibilities and tactics after the Ghost ransomware invasion.

How is Ghost ransomware distributed

Ghost virus, just like Lolita, Delphimorix, Neverdies, is distributed via malspam. It is enough for hackers to Socially engineer some convincing email with a .pdf or .doc attachment, that carries the virus and send it to large email databases, which can be purchased on the DarkNet. The reason why so many people fall for these fake emails is that they are made to look like legitimate messages from the government, clients, employees, bank, attorneys, friends and etc. They usually are very short, intriguing and always request in one way or another to view the added file.

When the victim opens the file, enables Macros, because it is required to view the content of the document and Ghost ransomware gets executed and starts running background processes, quickly encrypting all targeted files. Macros is the most popular ransomware distribution vector because it is a tiny legitimate program which is not detected by antivirus until it is enabled. That is the reason why knowing how to Recognize phishing campaigns manually is crucial in order to protect yourself from the precious file loss.

How to delete Ghost virus and restore encrypted files

There are two major steps that you need to complete if you want to restore your system and data back to normal. First – remove the Ghost ransomware, second – recover files. Unusually eliminating the threat, in this case, is not the hardest part and is rather easy if you know what you are doing. The problem is that even when your PC will be free from Ghost virus, encrypted files will still stay locked.

If you have backups and constantly make restore points of your Windows, you are lucky, because it is enough to use our instructions below and bring the system back to the time, right before the Ghost ransomware invasion and you’ll get back all necessary files without any problems. However, if you don’t have the backups or there is one but from really old days when your locked files were not even on your PC, then you’ll have to go the longer road and use special tools such as malware remover Spyhunter to detect and delete ransomware and then try recovering files either with restoring software or Shadow copies, mentioned below.

Automatic Malware removal tools

How to recover Ghost ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Ghost ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Ghost ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Ghost ransomware. You can check other tools here.  

Step 3. Restore Ghost ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Ghost ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Ghost ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.