Grt Ransomware

Cybercriminals have created another ransomware variant based on the infamous Phobos Malware family. The threat is being tracked as the Grt Ransomware, and its disruptive capabilities allow to lock numerous file types on the breached devices. Affected users will not be able to bypass the encryption algorithm of the threat without having the proper decryption keys.

Whenever the Grt Ransomware locks a file, it will drastically change that file's original name. To be more precise, the threat will first append an ID string that has been generated for the specific device. Then, the Grt Ransomware will add an email address belonging to its operators. Finally, the encrypted files will have a new file extension - '.grt' added to their names.

When all targeted file types have been processed, the threat will proceed to deliver two ransom notes to its victims. The ransom-demanding message dropped inside a text file named 'info.txt' will simply tell the impacted users that they will need to contact the cybercriminals by sending an email to the following two emails - 'ghost@mm.st' and 'ghost@2-mail.com.'

The proper ransom note will be displayed via a file named 'info.hta.' Here, the threat actors state that they will only accept payments made using the Bitcoin cryptocurrency. They also reveal their willingness to unlock up to 5 files for free. However, the files chosen for decryption should be less than 4MB in total size and must not contain any important information.

The full text of the ransom note is:

'All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail ghost@mm.st
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:ghost@2-mail.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The message found inside Grt Ransomware's text file is:

!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: ghost@mm.st.
If we don't answer in 24h., send e-mail to this address: ghost@2-mail.com.'