GTF Ransomware
Have you been locked out of your computer? Do your files have a strange new file extension you don’t recognize? If that extension is ".[grandtheftfiles@aol.com].GTF" then we’re sorry to say that your computer has been infected with Dharma ransomware; in particular the GTF strain of the ransomware.
This GTF ransomware will encrypt all of the personal documents and files on your computer that it can find. It deposits a ransom note on the computer and displays a warning message that informs victims how to restore their files. The message says that the files can only be recovered if the victim pays a ransom to the attacker in the form of a bitcoin payment.
The GTF ransom note text reads:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email grandtheftfiles@aol.com
If you have not been answered via the link within 12 hours, write to us by e-mail:
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Table of Contents
GTF Ransomware Cuts Off Access to Files
GTF Ransomware is a form of file-encrypting ransomware that prevents users from accessing the data on their computer, such as documents, pictures, and videos. It gives the files a new file extension after encrypting them. Victims are told that they have to pay a ransom to get a decryption key they can use to restore their files. If they don’t pay up then the information is lost forever or, even worse, sold on the black market. Hackers will make their money back one way or another.
GTF has been deployed against all versions of Windows from Windows 7 onwards. The virus hides inside other files and, once executed, it scans drives on the computer to find information that it can then encrypt and exploit users with.
The ransomware is programmed to find certain files with certain extensions and then encrypt them. It primarily targets documents, images and videos. It changes their file extension to [grandtheftfiles@aol.com].GTF so they can’t be accessed anymore.
After the files have been encrypted and can’t be accessed, the ransomware will create the ransom note called "FILES ENCRYPTED". The note is deposited in every folder with a locked file and on the desktop for good measure.
Last but not least, GTF will look for – and erase – shadow volume copies of your data. This removes any backups that you might have stored on the computer and is why it’s so important to keep external backups.
How Did My Computer Get Infected?
GTF is primarily spread through email spam campaigns. The emails have an attachment that users are encouraged to download and access. It is also spread through vulnerabilities in software and operating systems.
Cybercriminals send out emails designed to look like they come from official sources. For GTF, the hackers trick people into thinking that they have a message from a shipping company. The email says that the company tried to deliver a package but was unable to. It could also be a message about a shipment that someone made that hasn’t gone through. No matter the approach though, users are naturally curious and are tempted to open the attached file and learn more about what happened. As soon as they do, their computer is infected and the ransomware gets to work immediately.
GTF has also been seen to infect files by exploiting vulnerabilities in software and operating system. It infects through browsers, third-party applications and, on occasion, through the operating system itself. That’s why it’s so important that you install software updates when you can as most of these updates are designed to patch out such vulnerabilities.
What Can I Do?
The unfortunate news is that there is no way to recover your files after they have been encrypted. The only people that could decrypt it are the cybercriminals, and there is no guarantee that they would hand over the information. You should never pay off the ransom for this kind of attack.
At the time of writing there is no publicly available decryption tool. Security experts are constantly working to provide one though. You may be able to find a decryption tool released to the public. If not, then your only option to restore your files is to restore from a backup or using System Restore.
Watch out for suspicious emails and dubious downloads to prevent an infection. Prevention is always better than the cure with computer viruses, malware, and ransomware.
