GPCode Ransomware

What is GPCode Ransomware?

GPCode Ransomware is very similar to already existing ransomware infections encrypting files the way it acts; however, unlike the majority of older threats, it targets Windows Servers primarily. Once this infection is inside the system, it starts encrypting files the same second. It affects files located in different directories on the computer, but, luckily, it leaves the %WINDIR% directory containing system files alone. It means that the OS running on the computer will not be ruined. Even though you could reach your Desktop, you will find your programs and browsers (Mozilla Firefox and Google Chrome) encrypted next to personal data as well. Unfortunately, GPCode Ransomware uses a strong encryption algorithm (AES for personal files and RSA for the key), so it will be impossible to unlock those files without paying money for cyber criminals. Yes, you will be asked to pay a ransom after sending an email to, as told in the ransom note left on Desktop, folders containing encrypted files, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup (the ransom note is placed there so that it will be opened automatically for users on the startup of the system). Specialists at are strictly against payments to cyber criminals; however, if you have a different opinion about that, you should know that you will still have to remove GPCode Ransomware from the system after making a payment to cyber criminals because it will not be deleted automatically.test

What does GPCode Ransomware do?

Just like other malicious applications that have been categorized as ransomware, GPCode Ransomware encrypts users’ files right after the successful infiltration. A file is encrypted if it has the filename extension .LOL!. According to some users, they see the new filename extension .OMG! appended, so it is very likely that this ransomware infection can add any of these extensions to files it locks. As has already been told in the first paragraph, this malicious application locks all files, including pictures, music, images, etc., except those located in the directory belonging to the operating system. In the middle of the encryption process, a text file (how to get data.txt) is created on the computer. It is said there that users have to send 1-2 encrypted files whose size is less than 5 MB to the provided email address. These one or two files should be unlocked for free by cyber criminals to show users that they are really capable of doing that. Also, users who decide to contact hackers behind GPCode Ransomware should receive instructions from them. They should help them to make a payment. Researchers at have a strong opinion about those payments. Specialists say that this might be the only way to get personal files back, but nobody can guarantee that the decryption tool will be sent to you, so you should not hand in your money to cyber crooks. What you can do instead is to recover your data from a backup. Unfortunately, it will be impossible to do that if a backup does not exist, which shows again that it is very important to have files backed up.

Where does GPCode Ransomware come from?

As has been found, there are two ways this ransomware infection is distributed. First, it might illegally get on computers through OS or RDP (Remote Desktop Protocol) exploits. Also, it might come as an attachment in spam emails. It is not always easy to prevent threats from entering the computer because they are very sneaky and hardly noticeable. Therefore, security specialists suggest installing a reputable security application. Do this as soon as you remove GPCode Ransomware from your PC so that another similar threat could not sneak onto the system ever again.

How to delete GPCode Ransomware

It is very likely that your security tool has been encrypted as well by GPCode Ransomware. If it is true, you will have to delete the ransomware infection manually or use another automatic malware remover, e.g. SpyHunter. The automatic method is quicker and easier if compared to the manual one, but if you still decide to erase this infection yourself, let our manual removal guide (see below) to show you the way.

Remove GPCode Ransomware manually

  1. Tap Win+E.
  2. Type %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup in the box at the top.
  3. Remove how to get data.txt from this directory.
  4. Delete ransom notes left by GPCode Ransomware from other directories.
  5. Locate and delete the malicious file you have launched.
  6. Empty the Recycle bin.

It is very likely that GPCode Ransomware is not the only infection doing various activities behind your back, so it is highly recommended to scan the computer with an automatic scanner right after the manual deletion of this ransomware.

100% FREE spyware scan and
tested removal of GPCode Ransomware*

Leave a Comment

Enter the numbers in the box to the right *