Guster ransomware - How to remove

An American alternative rock band has been “honored” to share a name with a crypto-ransomware infection. Guster is the title that rock music fans have come to recognize as their lovable group, but now, the name Guster is exploited to refer to a rather aggravating crypto-ransomware virus. Despite having the same goal as any other this type of threat, infection managed to single itself out by creating a lock screen-slash-ransom note as a video with audio recording. Victims will hear a woman’s voice, reading the text on the screen out loud. Despite that, it appends a common .locked extension to the encrypted files, which, according to the creators, are encrypted with a strong military cipher. It does not provide an exact algorithm exploited. Of course, like any other “good” hackers, these programmers offer their assistance in decryption of files: for a “small” price, obviously. 0.4 BTC is indicated as the necessary number of bitcoins that would motivate the creators of Guster virus to decrypt their victims’ files. The hackers indicate that 0.4 BTC is approximately 300 US Dollars. However, it is a little more than that: about 374 US dollars.

A more thorough analysis of Guster ransomware

Guster crypto-virus enters devices without any warning, and the lock screen appears just as unexpectedly. The ransomware will presumably target all of the popular file types from photos, music, videos to important Microsoft Word or Power Point documents. This means that basically any piece of data is available for encryption. After it has executed changes in Windows registry keys, contacted its C&C server and found suitable files, Guster virus will begin the process of file encoding. The payload of this ransomware is going to run in the background and its existence is only going to be revealed after a lock screen prevents you from accessing your system. The ransom note in this screen is quite long and hackers make sure to threaten their victims to do not try any tricks for a free decryption. Guster virus warns that such attempts will end in a permanent loss of the encrypted data. To pay the demanded ransom, hackers give only 48 hours. If their requirements won’t be met, then the files are also going to be deleted for good. Guster ransomware instructs its victims to learn how to buy and send bitcoins. Then, they should contact the creators of the ransomware for further explanation. After bitcoins are successfully delivered to the hackers, they are supposedly going to provide victims with a password to decrypt data. However, this is not the first time that such promises are made. Sadly, hackers frequently severely fail to implement them.

All of your files (documents, videos, photos, musics, pdfs, etc) have been encrypted with a strong military cryptography.
The only way you have to get your files back to you, is paying a fee of 0.4 bitcoins, which worth something about 300,00 USD.
You can buy bitcoins in various sites all over the web, like and various others. If you try to delete me or something funny,
I SWEAR I’ll blow up your whole files and you’re never going to see it again.
It’s serious!
You have 48 hours to pay me these bitcoins or you’ll never get to see yours files again! You’re warned!
Follow these steps in order to get your files back:
1 – Go to a Bitcoin exchange site and buy exactly 0.4 BTCs
1.1 – You can take a look at some of these sort of sites here:
2 – Send an email with your ID to [email protected]
3 – Wait for a email-reply with more instructions
3.1 – It may take about 6-8 hours, if it takes more than that, send the email again. FAAAST!
3.2 – Remember! You have only 48 hours, so you better hurry up!
4 – After following all the steps (including email reply steps), you’ll get the PASSWORD to decryption.
5 – Type the password in the indicated field
6 – Click on ‘Decrypt!’
7 – It’s done. Your files will be decrypted!
Your ID: [–—-]
Type the password here:

What could be done if I want to decrypt files that were corrupted by Guster ransomware?

Hackers will try to convince you that there is no better (or possible) way to decrypt files besides paying the demanded ransom. This is not entirely true, but people might be freaked out by the timer which will slowly count backwards until zero. We assume that the best thing to do is to remove this virus before the time runs out. You should reboot your device into a Safe Mode and delete the ransomware with a reliable anti-malware tool. Spyhunter or Malwarebytes can assist you in this task. However, before doing this, you should store the encrypted data in a backup location (USB flash drive or a CD) because we cannot guarantee that by deleting the payload, you won’t trigger a deletion of all encrypted data. In fact, it is helpful to store files in backup storages so ransomware viruses would not even pose a threat.

The path of a Guster ransomware: where does it begin?

Well, every ransomware is created by a hacker that wishes to make a profit. Guster virus is just the same. After the last finishing touches are put, virus is ready to be transmitted to the Internet users. There is a possibility that this ransomware might be spread with infectious letters, but it is yet undetermined whether that is the case. However, there is a great chance of a spam campaign, promoting Guster virus. Of course, there are more ways that a person can become infected with malware, like hackers gaining remote control over your device. As for spam letters, never open messages in your inboxes that are originating from unreliable sources.

How to recover Guster ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Guster virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Guster ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Guster virus. You can check other tools here.  

Step 3. Restore Guster ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Guster virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Guster ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *