GX40 Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 80 % (High) |
Infected Computers: | 19 |
First Seen: | April 4, 2017 |
Last Seen: | April 26, 2020 |
OS(es) Affected: | Windows |
The GX40 Ransomware seems to be developed by a group calling themselves the 'Ambarawa Cyber Army.' This may refer to a small town named Ambarawa, which is located in Indonesia. These people use a logo that includes a locomotive since railways are an important part of that town. Malware researchers have observed various threats and hacking tools created by this group, including keyloggers and password collecting threats. In April 2017, security experts reported the GX40 Ransomware, an encryption ransomware Trojan that was disguised as a security testing program for PayPal accounts named 'GX40 - PayPal Validator.' Computer users who use this program to test a PayPal account would find that the GX40 Ransomware had encrypted their files and demanded the payment of a large ransom.
A Useful Tool that Can be Used for Undeserved Earnings
The GX40 Ransomware was first offered as a PayPal penetration tool. Supposedly used to 'test' PayPal accounts, these programs may be abused by con artists to attempt to compromise PayPal accounts. Therefore, the people who download this program in a file named 'GX40 - PayPal Validator.exe,' install and ran the GX40 Ransomware on their computers. This ransomware Trojan takes about one hour to encrypt its victim's files, displaying a progress bar labeled 'penetration tester' during its attack. The GX40 Ransomware will encrypt a wide variety of file types on all local disks. During its attack, the GX40 Ransomware will change affected files' names by adding the extension '.encrypted' to the finale of each affected file's name.
After encrypting the victims' files, the GX40 Ransomware displays ransom demands on the victim's computer. The first ransom message includes a logo of a pirate with a sword. This ransom note reads as follows:
'YOUR FILE HAS ENCRYPTE
the GX40 Ransomware
All of your important files has been encrypted by Ransomware
OPEN NOTICE
GX40 Ransomeware
Contact me to make payment and make sure to attach yor identifier
GX40@YAHOO.COM
IDENTIFIER: [RANDOM CHARACTERS] COPY
[TEXT BOX] RESTORE'
Clicking on the button 'OPEN NOTICE' included in this ransom note displays the following ransom note, which includes more detail about the attack:
'NOTICE
by : GX40
All Your Personal Files Are Encrypted
All your data (photos, documents, and other files) have been encrypted with a private and unique key generated fot this computer. It means that you will not be able to access your files anymore until they're decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.
The payment has to be done in Bitcoint to a unique address that we generated for you. Bitcoins are a virtual currency to make online payments. IF you don't know to get Bitcoins, you can google "HOW TO BUY BITCINS" and follow the instructions.
YOU ONLY HAVE 2 DAYS TO SUBMIT THE PAYMENT! When the provided time ends, the payment will increase to $80. Also, if you dont pay in 7 days, your unique key wil be destroyed and you wont be able to recover your files anymore.
To recover your files and unlock your computer, you mush send 0.07214 BTC or 80 USD, to the next Bitcoin address : 12EN79yZyZpEvfnQPHUqyhEtrWU4W3UrDn
WARNING!
DO NOT TRY GET RID OF THIS PROGRAM YOURSELF. ANY ACTION TAKEN WILL RESULT IN DECRYPTION KEY BEING DESTROYED. YOU WILL LOSE YOUR FILES FOREVER. ONLY WAY TO KEEP YOUR FILES IS TO FOLLOW THE INSTRUCTIONS.'
Dealing with the GX40 Ransomware Trojan
Since the victims of the GX40 Ransomware attack were most likely trying to compromise other computer users' PayPal accounts, one could argue that the GX40 Ransomware infection is well deserved. However, remember that one harmful act does not justify another. Malware researchers advise computer users to protect themselves from the GX40 Ransomware attacks by using a security program and having file backups of all files. Having backups protects computer users from these attacks, allowing them to recover their files quickly after an attack.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.