Ghost Ransomware

Ghost Ransomware Description

The Ghost Ransomware is an encryption ransomware Trojan that first appeared on November 17, 2018. The Ghost Ransomware is typically delivered to victims via corrupted spam email attachments. Once the Ghost Ransomware has been installed onto the victim's computer, it is designed to take the victim's files hostage. The Ghost Ransomware is not very different from the majority of encryption ransomware Trojans, all of which carry out a similar tactic.

How the Ghost Ransomware Attack Works

The victims of the Ghost Ransomware will receive a PDF or DOCX email file attachment, which uses inserted macro scripts to download and install the Ghost Ransomware onto the victim's computer. Once the Ghost Ransomware is installed, it uses the AES and RSA encryptions to make the victim's files inaccessible, demanding a ransom payment of 360 USD approximately from the victim via a ransom note. The Ghost Ransomware will mark the targeted files with the file extension '.Ghost,' which it adds to the file's name. The following are examples of the types of files that threats like the Ghost Ransomware target in these attacks:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

Once the Ghost Ransomware encrypts the victims' files, it delivers its ransom note in a program window named 'Ghost' that displays the following message onto the victim's computer:

'All your files have been encrypted. but don't worry. I have not deleted them yet. To desencrypt them. you have to pay 0.08116 bitcoin to following address:
h[tt]ps://blockchain[.]info/payment_reguest9 address=1N7AmgH12EN3yAkVMPB5rZoVX758jgLbzjaamount_local=5008currency=USD8nosa vecurrency=true8message=Pay%20me!
Them, send a mail to with your CODE ID.
I'm sorry for the inconvenience caused.'

Protecting Your Data from Threats Like the Ghost Ransomware

You can remove the Ghost Ransomware threat by using a reliable security program if your data has been compromised by a Ghost Ransomware attack. Unfortunately, once the Ghost Ransomware is done with the files' encryption, these files will not be recoverable without the decryption key. Therefore, computer users should have backup copies of all of their files to counteract the damage caused by threats like the Ghost Ransomware since computer users can restore any files compromised by the Ghost Ransomware by replacing them with a backup copy. If you are willing to pay the ransom that the criminals behind the Ghost Ransomware demand, remember that it only enables these criminals to continue demanding ransom payments, distributing the Ghost Ransomware, and updating this threat or creating new variants. Apart from file backups and a reliable security program, computer users should be aware of the tactics that are used to distribute the Ghost Ransomware, particularly through spam email attachments, recognize these, and prevent them from installing these threats in the first place.

Technical Information

File System Details

Ghost Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 file.exe 651,264 cd0f7f29e337f2ebe455ba4a85fb2b70 2
2 file.dll 11,776 5db40b7c42376cc077383069a9c509eb 0
3 GhostFile.dll 17,408 464da6c4465816cba2d278634e2b9d3e 0
More files

Registry Details

Ghost Ransomware creates the following registry entry or registry entries:

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.