While analyzing malware samples submitted to VirusTotal1, I discovered the Gazp ransomware, a member of the STOP/Djvu ransomware family, encrypting files and appending the â.gazpâ extension to their original filenames. For example, a file originally named â1.jpgâ would be renamed as â1.jpg.gazpâ, while â2.docâ would transform into â2.doc.gazpâ.
GAZP
đ€ GAZP virus is ransomware that originates from the DJVU/STOP family. Its primary purpose is to encrypt files that are important to you. After that ransomware virus asks its victims for a ransom fee ($490 â $980) in Bitcoin.
I have compiled an extensive list of potential solutions, tips, and best practices to neutralize the Gazp virus and recover encrypted files. Depending on the circumstances, file recovery may be either straightforward or impossible.
The Gazp ransomware employs a unique key for each victim, with one exception:
- If Gazp fails to establish a connection with the command and control server (C&C Server) before initiating the encryption process, it resorts to the offline key. This particular key is shared among all victims, offering the possibility of decrypting files affected by a ransomware attack.
What is Gazp virus?
âïž It can be correctly identify as a STOP/DJVU ransomware-type infection.
The Gazp ransomware is a specific kind of malware that encrypted your documents and then forces you to pay for them. The image below gives a clear vision of how the files with â.gazpâ extension look like:
Gazp File (STOP/DJVU Ransomware)
| Name | Gazp Virus |
| Ransomware family2 | DJVU/STOP3 ransomware |
| Extension | .gazp |
| Ransomware note | _readme.txt |
| Ransom | From $490 to $980 (in Bitcoins) |
| Contact | [email protected], [email protected] |
| Detection | Win32.Virlock.Gen.4, NSIS/Injector.MK, Generic.Trojan.Malicious.DDS |
| Symptoms |
|
| Fix Tool |
To remove possible malware infections, scan your PC:
6-day free trial available. |
This text asking payment is for get files back via decryption key:
_readme.txt (STOP/DJVU Ransomware) â The scary alert demanding from users to pay the ransom to decrypt the encoded data contains these frustrating warnings
Gazp ransomware arrives as a set of processes that are meant to perform different tasks on a victimâs computer. One of the first ones being launched is winupdate.exe, a tricky process that displays a fake Windows update prompt during the attack. This is meant to convince the victim that a sudden system slowdown is caused by a Windows update. However, at the same time, the ransomware runs another process (usually named by four random characters) which starts scanning the system for target files and encrypting them. Next, the ransomware deletes Volume Shadow Copies from the system using the following CMD command:
vssadmin.exe Delete Shadows /All /Quiet
Once deleted, it becomes impossible to restore the previous computer state using System Restore Points. The thing is, ransomware operators are getting rid of any Windows OS-based methods that could help the victim to restore files for free. In addition, the crooks modify the Windows HOSTS file by adding a list of domains to it and mapping them to the localhost IP. As a result, the victim will run into a DNS_PROBE_FINISHED_NXDOMAIN error when accessing one of the blocked websites.
We noticed that ransomware attempts to block websites that publish various how-to guides for computer users. It is evident that by restricting specific domains, the crooks are trying to prevent the victim from reaching relevant and helpful ransomware-attack-related information online. The virus also saves two text files on the victimâs computer that provide attack-related details â the victimâs public encryption key and personal ID. These two files are called bowsakkdestx.txt and PersonalID.txt.
After implementing all these modifications, the malware continues its malicious activities without interruption. Variants of the STOP/DJVU malware are known to deploy the Vidar password-stealing Trojan on compromised systems. This dangerous threat possesses an extensive range of capabilities, which include:
- Illicitly acquiring login credentials for platforms like Steam, Telegram, and Skype;
- Stealing cryptocurrency wallets;
- Downloading and executing malware on the infected computer;
- Extracting browser cookies, stored passwords, browsing history, and other sensitive data;
- Browsing and manipulating files on the victimâs computer;
- Providing hackers with remote access to the victimâs computer for carrying out additional tasks.
The DJVU/STOP ransomware family utilizes the AES-256 cryptographic algorithm. Consequently, if your files have been encrypted using an exclusive online decryption key, regrettably, it is impossible to decrypt them without this unique key.
In the event that Gazp operated in online mode, accessing the AES-256 key becomes an unattainable task. This key is securely stored on a remote server owned by the cybercriminals responsible for distributing the Gazp virus.
To acquire the decryption key, a payment of $980 is required. The victims are urged, through a message, to initiate contact with the fraudsters via email ([email protected]) in order to obtain the necessary payment details.
The message by the ransomware states the following information:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WJa63R98Ku Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Avoid Ransom Payments!
Utilize available backups or Decrypter tool instead
The Gazp virus representatives must be contacted within 72 hours, as stated in the _readme.txt file. Contacting them within this time frame entitles users to a 50% discount, reducing the ransom amount to $490. However, it is strongly recommended not to pay the ransom!
I strongly advise against contacting these criminals and making any payments. The most effective solution for recovering lost data is to utilize available backups or the Decrypter tool provided by Emsisoft.
All such viruses follow a similar set of actions to generate a unique decryption key for data recovery.
Therefore, manual recovery of encrypted data is not possible, unless the ransomware is still in the development stage or has hard-to-track flaws. Regularly creating backups of crucial files is the only way to prevent data loss.
Remember that even if you maintain regular backups, they should be stored in a specific location separate from your main workstation.
For example, you can store backups on a USB flash drive or an external hard drive. Alternatively, you can use online (cloud) storage services.
It goes without saying that if you store backup data on your main device, it may also get encrypted like other data.
Therefore, it is not advisable to keep the backup on your main device.
How I was infected?
Ransomware has a various methods to built into your system. But it doesnât really matter what concrete way was used in your case.
Gazp attack following a successful phishing attempt.
However, your PC can be injected with the Gazp ransomware through common leaks. These include:
- Hidden installation alongside other apps, particularly utilities that function as freeware or shareware.
- Questionable links in spam emails that lead to the virus installer.
- Utilizing online free hosting resources.
- Using illegal peer-to-peer (P2P) resources to download pirated software.
In some instances, the Gazp virus has been disguised as a legitimate tool, such as messages that demand unwanted software or browser updates. Online fraudsters employ this tactic to manually trick you into installing the Gazp ransomware, actively involving you in the process.
Undoubtedly, the bogus update alert will not explicitly mention that the ransomware will be injected. Instead, it will be concealed under an alert claiming that you should update Adobe Flash Player or some other dubious program.
Furthermore, cracked apps also pose a risk. Engaging in illegal P2P activities not only violates the law but also exposes your device to serious malware, including the Gazp ransomware.
To summarize, what can you do to prevent the injection of the Gazp ransomware into your device? Although there is no foolproof method to guarantee your PCâs safety, I would like to provide you with some valuable tips to prevent Gazp from infiltrating your system. When installing free software, exercise caution and carefully read the additional offerings provided by the installers. Avoid opening suspicious email attachments and refrain from opening files sent by unknown sources. It is imperative to keep your security program updated at all times.
The malware does not openly reveal itself and will not appear in your list of available programs. Instead, it disguises itself as a malicious process running discreetly in the background from the moment you start your PC.
How To Remove Gazp Virus?
In addition to encode a victimâs files, the Gazp virus has also started to install the Vidar Stealer on PC to steal account credentials, cryptocurrency wallets, desktop files, and more.
-
Run the setup file.
-
Press âInstallâ button.
-
Once installed, Anti-Malware will automatically run.
-
Wait for complete.
-
Click on âClean Nowâ.
Leave a Comment