Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


GhostCrypt (.Z81928819) Help & Support Topic - READ_THIS_FILE.txt

  • Please log in to reply
No replies to this topic

#1 Demonslay335


    Ransomware Hunter

  • Security Colleague
  • 3,579 posts
  • Gender:Male
  • Location:USA
  • Local time:08:17 AM

Posted 16 May 2016 - 12:13 PM

A "new" ransomware has been stumbled upon by xXToffeeXx and Fabian Wosar, dubbed GhostCrypt. It also appears this was discovered by malware analyst JaromirHorejsi in February. This is another variant of the famed HiddenTear project.
The ransom note presented to victims masquerades as CryptoLocker, with the following message in READ_THIS_FILE.txt on the user's desktop.

Files have been encrypted by CryptoLocker.
In order to get hands on your files again and decrypt them you must pay 2 BTC (Bitcoin).
You must complete the following steps:
1. Android users must download the application called Bitcoin Wallet. iOS users must download the application called Copay.
2. After you register and receive a Bitcoin account you must buy 2 BTC (BitCoins) in order to load your account.
3. You must than send the BitCoins bought to one of the following accounts.
1. 19YWTHeSf1c4a2j1YNPTb3VCJn5ee21GRX
2. 1546jBPBRnR4NVrCZzVm7NtaH8FMQEy9mQ
Once we will receive the payment the decryption key will be issued to you and your files will be decrypted.
For more information please visit: https://goo.gl/wDhp4J

All attached drive letters are traversed. The following extensions are encrypted with AES-256, and have the extension ".Z81928819" appended to them.

.asp, .aspx, .avi, .bk, .bmp, .css, .csv, .divx, .doc, .docx, .eml, .htm, .html, .index, .jpeg, .jpg, .lnk, .mdb, .mkv, .mov, .mp3, .mp4, .mpeg, .msg, .odt, .ogg .pdf, .php, .png, .ppt, .pptx, .psd, .rar, .sln, .sql, .txt, .wav, .wma, .wmv, .xls, .xlsx, .xml, .zip

If you or someone you know has been affected by this ransomware, please post here, and do not pay the ransom.
Decrypter available here:


Please note, the password for the zip file is "false-positive". This is a temporary response to false positives being triggered by Google SafeBrowsing and antivirus.

Edited by Demonslay335, 17 January 2017 - 06:48 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users