What is GarrantyDecrypt Ransomware
GarrantyDecrypt Ransomware has taken cemented position around the ransomware category and already deprived a fair amount of nerves and money of its victims. Like other ransomware, it infiltrates your computer by running encryption scripts that scan your device and therefore assign unbreakable cipher to each file. The first versions of this malware used .garrantydecrypt, .decryptgarranty, .protected, .NOSTRO, .odin, .cosanostra, .cammora, .metan, .spyhunter, .tater, .zorin extensions. However, encryption virus gets constantly modified and suffixes are changed too. Most recent extensions used by GarrantyDecrypt Ransomware are: .bigbosshorse, .heronpiston or .horsedeal. To illustrate, after encryption, 1.mp4 will be changed to 1.mp4.bigbosshorse or other abovementioned extensions. Unfortunately, any manual attempts to unlock the data are desperate. Once the encryption is finished, you will be presented with a ransom note created on desktop notifying that your data has been blocked. Ransomware recently has used #Decryption#.txt file for ransom note, and here is the message from this file:
All your files have been ENCRYPTED!!!
Write to our ICQ hxxps://icq.im/bigbosshorse
Or contact us via jabber - bigbosshorse@xmpp.jp
Jabber client installation instructions:
Download the jabber (Pidgin) client from hxxps://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click - Add
In the -Protocol field, select XMPP
In -Username - come up with any name
In the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im
Create a password
At the bottom, put a tick -Create account
Click add
If you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)
If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - hxxps://www.youtube.com/results?search_query=pidgin+jabber+install
If you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
tell your unique ID -
Then ransomware developers offer you to buy a unique key that will ostensibly access the files. The payment has to be done only through Bitcoin. Also, the ransomware name indicates on swindler’s integrity that can be proven by decrypting one file that you can send via the attached e-mail. But do not dare rush and pay a fee because there is no guarantee that extortionists will keep their promises. Instead, the best solution would be to remove GarrantyDecrypt Ransomware from your computer and plausibly recover the lost data from backup.
How GarrantyDecrypt Ransomware infected your computer
Ransomware and other malicious software can be distributed through various infection channels like e-mail spam, trojans, and fake activation tools. E-mail spam, for instance, is used to distribute trojans that are disguised as attached files like Microsoft Office, PDF documents, executable files, and JavaScript files. Once clicked, the trojan will plant down on your device and cause so-called malware chains. And ransomware is the most common piece that contributes to the trojan’s list. GarrantyDecrypt Ransomware stops the following processes:
sqlwriter.exe, sqlbrowser.exe, sqlservr.exe, TNSLSNR.EXE, mysqld.exe, MsDtsSrvr.exe, sqlceip.exe, msmdsrv.exe, mpdwsvc.exe, fdlauncher.exe, Launchpad.exe, chrome.exe, oracle.exe, devenv.exe, PerfWatson2.exe, ServiceHub.Host, Node x86.exe, Node.exe, Microsoft VisualStudio, Web Host.exe, Lightshot.exe, netbeans64.exe, spnsrvnt.exe, sntlsrtsrvr.exe, w3wp.exe, TeamViewer_Service.exe, TeamViewer.exe, SecomSDK.exe, schedul2.exe, schedhlp.exe, adm_tray.exe, EXCEL.EXE, MSACCESS.EXE, OUTLOOK.EXE, POWERPNT.EXE, AnyDesk.exe, MicrosoftSqlServer, IntegrationServices, MasterServiceHost.exe, MicrosoftSqlServer, IntegrationServices, WorkerAgentServiceHost.exe
In addition to that, the virus removes shadow copies of files in Windows using the command: delete shadows /all /quiet
. On top of that, virus developers tend to abuse fake cracking tools that are used to bypass paid software. Whilst promoting them as authentic activation tools, they hide sneaky trojans to infect your computer. In order to increase the circle of victims, deceivers use other channels of dissemination like Peer-to-Peer networks (e.g. torrents, eMule) and fake software updaters like Adobe Flash Player. These are the main ways that GarrantyDecrypt could attack your computer. To remove it, follow the guideline below.
Download Removal Tool
To remove GarrantyDecrypt Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders and registry keys of GarrantyDecrypt Ransomware and prevents future infections by similar viruses.
Alternative Removal Tool
To remove GarrantyDecrypt Ransomware completely, we recommend you to use SpyHunter 5. It detects and removes all files, folders and registry keys of GarrantyDecrypt Ransomware. The trial version of Spyhunter 5 offers virus scan and 1-time removal for FREE.
GarrantyDecrypt Ransomware files:
{randomfilename}.exe
#Decryption#.txt
$READ_ME$.txt
$HOWDECRYPT$.txt
#HOW TO DECRYPT#.txt
#HOW TO DECRYPT FILES#.txt
HOW_TO_RESTORE_YOUR_FILES.txt
#RECOVERY_FILES#.txt
GarrantyDecrypt Ransomware registry keys:
no information
How to decrypt and restore .bigbosshorse, .heronpiston or .horsedeal files
Use automated decryptors
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .bigbosshorse, .heronpiston or .horsedeal files. Download it here:
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .bigbosshorse, .heronpiston or .horsedeal files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing of files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with GarrantyDecrypt Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .bigbosshorse, .heronpiston or .horsedeal files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like GarrantyDecrypt Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives or remote network storages can be instantly infected by the virus once plugged in or connected to. GarrantyDecrypt Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.