If your files suddenly have .ghsd attached to them, your computer has been infected with Ghsd ransomware. It’s a type of computer malware that encrypts files and later offers victims a decryptor for a certain price. Ghsd ransomware is one of the more recent versions of the notorious Djvu/STOP ransomware family. The malicious actors operating this malware family release new versions on a regular basis, with at least a couple a week. The versions can be differentiated by the extensions they add to encrypted files. Unfortunately, you will not be able to open any files with the .ghsd extension, unless you first put them through a decryptor. It will be offered to you for $980 by the malware operator. Paying is risky, though, because it does not guarantee that a decryptor will actually be sent to you given how unreliable cybercriminals are.
When you open the infected file and initiate the ransomware, your personal files will immediately get encrypted. Your most important files, such as your pictures, photos, videos, and other private files, will be encrypted. It is easy to identify files that have been encrypted because of the .ghsd extension. For instance, image.jpg would be changed to image.jpg.ghsd once encrypted. You won’t be able to open these files unless a specific tool is used to decrypt them. How you can get the decryptor is described in the _readme.txt ransom note, which is dropped in every folder containing encrypted files. Unfortunately, a $980 ransom is demanded from you. According to the note, users who get in touch with the cybercriminals operating this malware within the first 72 hours will receive a 50% discount. However, we seriously doubt that this is actually the case. In general, it is not advised to pay the ransom because there is nothing to ensure that the cybercriminals would actually send you the decryption tool. If you paid, there’s a chance that your files wouldn’t be recovered and you’d also lose your money. Furthermore, your money would be used for future criminal activities if you paid.
We strongly advise using anti-malware software to remove Ghsd ransomware from your computer. Since it’s a very serious infection, you shouldn’t try to manually delete Ghsd ransomware because doing so puts your computer at risk of further damage. You can start recovering your files from your backup as soon as you remove Ghsd ransomware using anti-malware software.
If you weren’t backing up your files before your computer became infected with this ransomware, you might not be able to recover them. The only thing you can do is wait for the release of a free Ghsd ransomware decryptor. If you decide to wait, make a backup of the encrypted files and store them safely. This ransomware uses online keys to encrypt files, making it challenging for malware researchers to create decryptors because the keys are unique to each user. A decryptor is unlikely to be developed until those keys are disclosed by the cybercriminals (or by law enforcement if they are successful in apprehending the malware operators).
Ransomware distribution methods
Malicious actors frequently use email attachments to spread malware. If your email address has been exposed by some service, you will, from time to time, get malicious emails in your inbox because your email address is likely being sold on various hacker forums. You can check if it has been leaked by visiting haveibeenpwned. If your email address was made public due to a data breach, you should exercise caution when opening unsolicited emails with attachments. Never open unsolicited email attachments without first double-checking them. Before opening any attachments, use VirusTotal or anti-virus software to scan them. But malicious emails are also quite easy to identify in general. It is common for malicious senders to pose as representatives of known companies, claiming that they’re emailing an important attachment that needs to be reviewed. But the emails are full of grammar/spelling mistakes which appear very out of place in what’s supposed to be a professional email. Another indication of a potentially malicious email is you being addressed using generic words like “User”, “Member”, and “Customer” when your name should be used. Malicious actors usually do not have access to information like a full name so they use generic words.
Another common way malware is spread is via torrents. Malicious actors can upload torrents with malware in them onto torrent platforms quite easily because torrent platforms are rather poorly moderated in many cases. Torrents for entertainment-related content commonly contain malware. Torrents for popular movies, TV shows, and video games are especially prone to having malware in them. If you use torrents to download copyrighted content for free, you’re risking a malware infection. And as you already know, downloading pirated versions of paid content is essentially stealing.
How to remove Ghsd ransomware
Due to its complexity, manual Ghsd ransomware removal is not recommended. You run the risk of further causing damage to your computer if you’re not careful when manually trying to delete Ghsd ransomware. Instead, you should use professional anti-malware software to remove Ghsd ransomware from your computer. As soon as the Ghsd ransomware has been completely eliminated, you may connect to your backup and start restoring your files.
Ghsd ransomware is detected as:
- FileRepMalware [Ransom] by AVG/AVAST
- Gen:Variant.Trojan.Crypt.63 by BitDefender
- Gen:Variant.Trojan.Crypt.63 (B) by Emsisoft
- A Variant Of Win32/Kryptik.GZSL by ESET
- UDS:Trojan-Ransom.Win32.Stop by Kaspersky
- Ransom_Stop.R002C0PG422 by TrendMicro
- Ransom:Win32/Filecoder.DD!MTB by Microsoft
- ML.Attribute.HighConfidence by Symantec