GX40 Ransomware

Posted: April 4, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	44

First Seen:	April 4, 2017
Last Seen:	April 26, 2020
OS(es) Affected:	Windows

The GX40 Ransomware is a Trojan that locks your files with an AES cipher and asks for Bitcoin ransoms to unlock them. Typical defenses against threats of this classification include backing your media up to other locations, having security software analyzing e-mail attachments, and using cautious Web-browsing settings. Since a free decryption may or may not be available, using anti-malware protection to remove the GX40 Ransomware as soon as possible is preferable for the safety of your files.

A Skeletal Raiding of Your File System

The GX40 Ransomware (or 'Ransomeware' as its logo announces it) is part of a handful of in-development Trojans that malware experts see this spring. While its features are incomplete, the GX40 Ransomware does showcase a fully-working encryption feature and a ransoming message that its authors have put significant work into designing. The Trojan is set to distribute itself as a fake validation tool for PayPal accounts.

Most security tools identify the GX40 Ransomware as another variant of the populous Hidden Tear group of file-encoding threats, although malware experts can't confirm the relationship yet. After launching, the GX40 Ransomware encrypts photos, documents, and other media on the victim's desktop, but limits the locations it targets to the 'test' directory of the user's desktop. The attack is similar in format to that of some samples of the SuchSecurity Ransomware but appends a different extension ('.encrypted') to the names.

The GX40 Ransomware also launches a pop-up with a unique, skeleton-themed logo and various ransoming information for purchasing the decryption key. The decryption feature is built into the interface of this ransoming window but requires a code that the con artist provides in exchange for a non-refundable Bitcoin transfer. Current formats of the messages also give the victim limited time to pay before the threat actor destroys the decryption key.

Putting Bad Bones to Rest

In ideal circumstances, third-party security researchers can give the victims of file-encrypting attacks a free decryption solution. Users always should consider trying these freeware tools, or recovering from a backup, in preference over paying ransoms that reward bad behavior. Many threat actors see no need to honor their agreements and give their victims any decryption help, although the GX40 Ransomware is too new for malware experts to have any historical evidence on its author's likely behavior.

Because of its possible distribution as fraudulent software, you may encounter the GX40 Ransomware on free software sites or torrent networks. Always use security utilities to analyze potential threats to your PC, including programs coming from potentially unsafe sources. Short of having exhaustive backups, deleting the GX40 Ransomware before it installs itself can be the only fully insurable way to keep files from being lost.

The elements of social engineering in the GX40 Ransomware's beginning campaign point to it being improbable that the Trojan's attacks will do anything other than ramp up from their originating statistics. Watching what you download and backing up your media, just in case, will prevent threats of this nature from forcing you to pay for what you already own.

GX40 Ransomware

Threat Metric

A Skeletal Raiding of Your File System

Putting Bad Bones to Rest

Leave a Reply