Gpay Ransomware
The Gpay Ransomware is a threatening malware that can cripple any computer it manages to infect. The threat employs a strong encryption process that is capable of rendering the files stored on the breached device both inaccessible and unusable. Victims will then be extorted for money if they want to receive the decryption key and software from the cybercriminals.
Each file locked by the Gpay Ransomware will have its name modified by the addition of '.gpay' as a new extension. The ransom note will then be dropped on the device, as files named '!!!HOW_TO_DECRYPT!!!.mht.' A copy of the ransom-bearing file will be created in every folder containing encrypted data.
The instructions from the hackers state that the Gpay Ransomware uses a combination of three different cryptographic algorithms and ciphers - AES-256, RSA-2048, and CHACHA. To demonstrate their ability to decrypt the locked data, the hackers promise to decrypt up to three small files for free. Victims of Gpay Ransomware are told to establish communication by sending a message to both of the email addresses provided in the note - 'gsupp@jitjat.org' and 'gdata@msgden.com.' The Gpay Ransomware hackers claim to have collected information from the breached system. If they do not receive a message from the victims within 72 hours, the criminals threaten to sell the data to interested third parties, as well as contact the victim's customers and partners.
The full text of the ransom note is:
'All your valiable data has been encrypted!
Hello!
Sorry, but we have inform you that your order has been blocked due to the issue of securities. Make sure your data is not blocked. All your valuable files were encrypted with strong encryption algorithms AES-256 + RSA-2048 + CHACHA and renamed. You can read about these algorithms in Google. Your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.
We can prove that we can decrypt all of your data. Please just send us 3 small encrypted files which are randomly stored on your server. We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.
As you know information is the most valuable resource in the world. That's why all of your confidential data was uploaded to our servers. If you need proof, just write us and we will show you that we have your files. If you will not start a dialogue with us in 72 hours we will be forced to publish your files in the Darknet. Your customers and partners will be informed about the data leak by email or phone.
This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases to interested parties to generate some profit.
Please understand that we are just doing our job. We don't want to harm your company. Think of this incident as an opportunity to improve your security. We are opened for dialogue and ready to help you. We are professionals, please don't try to fool us.
If you want to resolve this situation,
please write to ALL of these 2 email addresses:
gsupp@jitjat.org
gdata@msgden.com
In subject line please write your ID: -
Important!
- We asking to send your message to ALL of our 2 email adresses because for various reasons, your email may not be delivered.
- Our message may be recognized as spam, so be sure to check the spam folder.
- If we do not respond to you within 24 hours, write to us from another email address. Use Gmail, Yahoo, Hotmail, or any other well-known email service.
Important - Please don't waste the time, it will result only additinal damage to your company!
- Please do not try to decrypt the files yourself. We will not be able to help you if files will be modified.'
