GarrantyDecrypt Ransomware

The GarrantyDecrypt Ransomware is a file-locker Trojan that blocks your PC's digital media by encrypting each file with one or more customized RSA keys, as well as a static, master key. Different versions of this threat may create various ransoming messages, typically in a Notepad format, or make name changes, such as adding extensions to the blocked files. Let your anti-malware products uninstall the GarrantyDecrypt Ransomware securely before using your latest backup for recovering any lost content.

A Trojan that Takes Care of Its Competition

Europe is experiencing a small number of attacks by a threat with a payload that's either configurable or being updated by its admins for targeting different victims. While the GarrantyDecrypt Ransomware campaign shows diversity in its cosmetic symptoms, consistent drawbacks of infections include the RSA encryption of the victim's files and some form of ransom note placed on the hard drive. Although research is continuing into its multiple encryption algorithms, malware experts have yet to produce or observe the production of any solutions that would allow restoring these files freely.

The GarrantyDecrypt Ransomware's monetization model is ordinary, for a file-locking Trojan, but it does have other features of interest. The Trojan disables some threatening software that could interfere or compete with it, including threats from different categories like the Arkei spyware program and Rarog, a cryptocurrency-mining Trojan. After closing these programs, the GarrantyDecrypt Ransomware proceeds with encrypting the victim's media (documents, pictures, etc.).

The encryption method that the GarrantyDecrypt Ransomware uses consists of a master RSA key, an individually-configured, private key, and it also appends a static file marker to the converted data. Some versions of the GarrantyDecrypt Ransomware also include extension changes, such as 'garrantydecrypt,' but this symptom isn't present universally. Victims should remember that this extension is superficial strictly and, whether it's there or not, doesn't impact the encryption that's preventing the file from opening.

The Sole Guarantee of File Restoration that's Worth Your Time

The relative plausibility of breaking the RSA encryption, multiple, dynamic layers of it particularly, isn't favorable to the victims of the GarrantyDecrypt Ransomware infections. Decryption freeware provided by different AV vendors may offer some solutions to file-locker Trojans of various families, but depending on them as an exclusive media-restoring option is not a decision that malware experts would encourage. Backing up your files to traditionally-secure drives, either removable ones or network-based, password-protected servers, will give you choices for restoring your work without any decryption.

Although the GarrantyDecrypt Ransomware's campaign is, by the statistics so far, surfacing around Europe, its ransoming messages use English and show no particular specialization for any, single country. Malware analysts also find no features related to blocking installations via IP addresses, or other, geography-related settings. Users may expect attacks arriving through spam e-mails, torrents, or browser-driven exploit kits. Nearly all anti-malware programs are deleting the GarrantyDecrypt Ransomware securely in its current versions, despite this Trojan's use of UPX packing.

What kind of money the GarrantyDecrypt Ransomware's authors are expecting to make on a per-infection basis is still unknown. However, if the GarrantyDecrypt Ransomware is anything like the file-locker Trojans that it resembles, such as the Globe Ransomware family, the cost of not backing up your work could be hundreds or even thousands of dollars.

Update Janury 3rd, 2019 — Nostro Ransomware

The Nostro Ransomware is a file-locker based on the GarrantyDecrypt Ransomware project, and it has proven to be impossible to decode via free means. It is likely that the Nostro Ransomware might be propagated via mass email spam campaigns, and it seems that the authors of the threatening scheme do not have a preferred target group – so far the Nostro Ransomware has infected computers in Mexico, the Philippines and China. Users whose files are taken hostage by the Nostro Ransomware may notice that the majority of their documents, archives, backups, songs, videos, images, and other common file formats have been renamed to include either the ‘.NOSTRO’ or ‘.nostro’ extensions.

In addition to encrypting and renaming files, the Nostro Ransomware also will create the ransom note ‘#RECOVERY_FILES#.txt.’ This ransom note name is often utilized by the Aurora Ransomware family, but it has been confirmed that Nostro Ransomware is a part of the GarrantyDecrypt family.

’CONGRATULATIONS!
All your files have been encrypted!
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address
nostro19@protonmail.com
And tell us your unique ID
[redacted 0x200 bytes in base64]’

If your files have been locked by this file-encryption Trojan, then you should know that their recovery might be a challenging task. Currently, there is no workable way to recover the encrypted files for free. The only solution may be the one proposed by the Nostro Ransomware’s author, but you should not forget that their services do not come cheap, and you might need to pay hundreds of dollars in exchange for their help. Another problem with their offer is that there is no way to be sure that they will not try to trick you by taking the money without providing you with anything in return.

The suggestion to the victims of the Nostro Ransomware is to remove the harmful application by using a reputable and up-to-date anti-malware scanner. When the Nostro Ransomware is removed successfully, its victims could try using 3rd-party data recovery software.