Home Malware Programs Ransomware GTF Ransomware

GTF Ransomware

Posted: March 11, 2020

The GTF Ransomware is a file-locking Trojan that's part of the Dharma Ransomware's Ransomware-as-a-Service group. Infections can remove backups, convert your files into non-opening versions of themselves, and demand money through multiple ransom messages. Users should depend on anti-malware software for deleting the GTF Ransomware preemptively or post-infection and secure their backups against third-party tampering.

The Worst Service Your Files can Get

Continuing into 2020, despite the uptick in independent, file-locking Trojans, Ransomware-as-a-Service families retain their overall dominance over this illicit industry. The Dharma Ransomware, an offshoot of the Crysis Ransomware and its toolkit-generating Trojans, offers many of the latest variants for endangering victims' files, such as the ROGER Ransomware, the Rxx Ransomware, the YKUP Ransomware, the Blend Ransomware and the GTF Ransomware. Although malware analysts conclude that the GTF Ransomware is the youngest of these samples, the dangers of its payload aren't much different from those of its weeks-older relatives.

The GTF Ransomware remains Windows-based, like its forebears, with uncertain infection and propagation exploits at play. After running, the Trojan alters the Registry for gaining system persistence before launching its core attacks against the user's digital media. Content such as PDF or DOC documents, TXT text files, and JPG pictures all receive AES encryption that the Trojan secures with an RSA key, which stops other programs from opening them. The Trojan will 'label' each file's name with a custom 'GTF' extension, as well.

The GTF Ransomware may, additionally, access network shares for the above purpose, delete the Windows Restore Points (AKA Shadow Volume Copies) and generate HTA pop-ups and text files with ransom demands. The latter provides little information besides a short deadline and a link to the Ransomware-as-a-Service's TOR website for paying a ransom. Although free recovery options for the GTF Ransomware's family are not very promising, users should always attempt them before making a payment due to the natural uncertainty of receiving a real decryptor.

Serving Yourself an Escape from a Ransoming Situation

Due to limited reports and sample availability, malware researchers can't confirm current distribution exploits in the GTF Ransomware's campaign. Typically, threat actors prefer circulating Trojans of this family through e-mail schemes, such as fake workplace documents (printer notifications, resumes, etc.) that contain general vulnerabilities or corrupted macros. Less often, they also may compromise a server by hacking login combinations through brute-force or use torrents.

While safe browsing and server administration protocols can keep most of these attacks from succeeding, Windows users should have a fallback plan for recovering any data. Digital media should have at least one extra backup on a separate device, either a secured computer or detachable storage. In rare cases, the GTF Ransomware may fail at deleting the Shadow Volume Copies, although, in a majority of infections, the Dharma Ransomware members will accomplish this attack without a hitch.

Besides a backup strategy, possessing up-to-date software for threat-detection and removal is the most universally-dependable cure to any file-locking Trojan.

There's more left to explore of the GTF Ransomware's campaign, but for most users, the details of its propagation or cryptography changes are of minor importance. Trojans of this type only can succeed at their ransoms with careless behavior from those whom they attack, no matter how new they are.

Loading...