What is Gc47 Ransomware?
Malware researchers spotted a new ransomware infection Gc47 Ransomware on the 7th of March, 2017. There is no information about the developers of this malicious application available, but specialists are sure that it has been created on the basis of the source code of an open-source ransomware called Hidden Tear. It is one of these ransomware-type threats which slither onto computers with the intention of encrypting users’ personal files. The only reason it acts the way it does is to obtain money from users. Because of this, it scans the machine after the successful entrance and then encrypts files using the AES-256 encryption algorithm. Users can be sure that Gc47 Ransomware is inside their systems if they have noticed the message box “Error Code, <41362>” or “You need to upgrade your windows!” before finding all personal files encrypted. Even though this computer infection executes the command cmd.exe /C choice /C Y /N /D Y /T 1 & Del and deletes its own executable file once it finishes doing its main job, i.e. encrypting users’ files, it does not mean that users do not need to do anything. According to researchers at anti-spyware-101.com, a malicious file users have launched is still located in some kind of folder on the affected computer, so users need to find and delete it. It is a must to do that because it might be opened accidentally again. This would result in the encryption of personal data once more.
What does Gc47 Ransomware do?
After analyzing Gc47 Ransomware, researchers know that it was developed using Visual Studio 2013 (a program allowing developers to create their own software), and its project was called GC47_Ransomeware. On top of that, malware analysts know exactly how this ransomware infection works. First of all, there is no doubt that this malicious application starts encrypting users’ files after entering the computer successfully. The names of these encrypted files are not changed, but they all receive a new filename extension .Fuck_You which is placed next to their original filename extensions, e.g. file.jpg.Fuck_You. Judging from the long list of extensions Gc47 Ransomware encrypts, pictures, videos, documents, and other files will all be lost. Users who discover their files having new filename extensions should also be able to find new files on their computers: C.key, D.key, and READ_IT.txt. The first two files are used in the encryption process and, once this process is finished, are sent to the developer of Gc47 Ransomware using SMTP (Simple Mail Transfer Protocol). The .txt file does not participate in the encryption of files. It is dropped on Desktop after ransomware locks data, and it contains the short message:
Fuck_You was Encrypt your File
Send 50 USD BTC Address 14vY5z8fWzCj93YTwbGiLd6ansZNMJ2kC3
Then meet me
my email unixc47@gmail.com
The content of this file proves again that the main purpose of Gc47 Ransomware is to make users pay money. Do not transfer $50 in Bitcoins to 14vY5z8fWzCj93YTwbGiLd6ansZNMJ2kC3 by any means because it might be possible to decrypt files for free. Our researchers say that these two files C.key and D.key created on the computer might help users to get their data unlocked. They just need to be patient and wait for a special decryptor to be developed by specialists. Do not forget to delete the malicious file that can launch this ransomware infection again before taking action to get your files back.
Where does Gc47 Ransomware come from?
Probably, a number of users wonder how Gc47 Ransomware managed to enter their systems. Unfortunately, we have to upset them by saying that this ransomware infection entered their PCs thanks to them. Researchers have revealed that Gc47 Ransomware, just like similar file-encrypting threats, is mainly spread through spam emails. It does not end up on the computer the second a user opens such an email. In most cases, it squeezes through the gap and starts actively working on the system after a malicious attachment inside a spam email is opened by a user. Since users are the ones who do that, it is said that they contribute to the entrance of malware too. Do not let the history to repeat itself in the future – install a legitimate security application for ensuring the maximum protection of your PC and, please, stay away from spam emails you receive.
How do I delete Gc47 Ransomware?
Gc47 Ransomware deletes its executable file once it finishes encrypting users’ personal data, so your only job is to locate and delete the malicious recently opened file. It might be hiding anywhere on the computer, but its usual locations are these: %TEMP%, %USERPROFILE%\Downloads, and %USERPROFILE%\Desktop. Go to check them all! You should remove the ransom note (READ_IT.txt) together with the malicious file too, but make sure you keep C.key and D.key files even though they belong to Gc47 Ransomware because they might be your only chance to unlock the encrypted data when the decryption tool is released by experts specializing in cybersecurity.
Gc47 Ransomware manual removal instructions
- Open the Windows Explorer (Win+E).
- Go to delete the malicious file you have opened recently. Check these directories:
- %TEMP%
- %USERPROFILE%\Desktop
- %USERPROFILE%\Downloads
- Delete READ_IT.txt, which is a ransom note of Gc47 Ransomware, from Desktop.
- Empty the Recycle bin.
tested removal of Gc47 Ransomware*
0 Comments.