What is GIOTINE FIDY ransomware? And how does it implement its attack?
GIOTINE FIDY ransomware, also known as Giyotin ransomware, is a file-encrypting virus designed to encrypt important files in a computer. According to security experts, this crypto-malware is still in its development phase and targets Turkish-speaking users. It mostly targets regular PC users and small businesses that lack enterprise-level protection.
Once it infects a computer, it runs its malicious payload named “MyRansom.exe” and implements several changes in the system. It creates dubious entries in the Windows Registry and modifies existing ones to allow itself to run automatically on every system boot. After it makes changes in the system, it begins to encrypt files using a standard encryption algorithm. GIOTINE FIDY ransomware does not appear to add any extension to its encrypted files but does that not mean that the files are accessible for they are very much encrypted. Once the encryption is completed, it opens an image with a ransom note message written in Turkish language. It states:
“OOPS, GİYOTİN FİDYE YAZILIMININ KURBANI OLDUNUZ
Bilgisayarınız ve Tüm Önemli Dosyalarınız Şifrelendi. Dosyalarınızı Geri Alıp Bilgisayarınıza Tamamen Erişim Sağlayabilmek İçin Aşağıdaki Adımları Takip Edin
1-İnternet Üzerinden Herhangi Bir Website veya Server Yardımıyla Bİr Bitcoin Hesabı ve Cüzdanı Oluşturun
2-Bİtcoin Hesabınız Üzerinden Aşağıda Belirtilen Adreslerden Herhangi Birine 60$(Dolar) Değerinde Bitcoin Gönderin
3-Ödeme İşleminden Sonra
[email protected] adresine “HACKED” Metni İçeren Bir Mesaj Bırakın
ANCAK FAZLA ZAMANINIZ YOK 12 SAAT İÇERİSİNDE BU İŞLEMLERİ YAPMADIĞINIZ TAKDİRDE BİLGİSAYARINIZ KALICI OLARAK ÇÖKECEKTİR !!!!”
Here’s a rough English translation of the ransom note:
“OOPS, YOU WERE THE VICTIMS OF GIOTINE FIDY SOFTWARE
Your Computer and All Your Important Files Are Encrypted. Follow the steps below to get your files back and provide complete access to your computer
1-Create a Bitcoin Account and Wallet with any Website or Server Help over the Internet
2-Send a Bitcoin of $ 60 (Dollar) to any of the addresses listed below
3-After Payment, Leave a Message containing “HACKED” Text to
BUT IF YOU DO NOT HAVE THEM IN 12 HOURS IF YOU DO NOT HAVE THESE PROCESSES, YOUR COMPUTER WILL BE PERMANENT !!!!”
Although this crypto-malware is still in its development phase, it doesn’t make it any less dangerous which is why you must obliterate it from your computer the instant you discover it from your system. In addition, you must not pay the ransom demanded by the crooks as there really is no guarantee that they’ll give you the decryption key. The best thing you can do for now is use alternative methods to restore your files.
How does GIOTINE FIDY ransomware proliferate?
GIOTINE FIDY ransomware might proliferate using the most common ransomware distribution method which is malicious spam email campaign. Crooks tend to attach malicious payload in emails and send them to victims using spam bot. So before you open any emails, make sure to double check them first no matter who sent them.
Obliterating GIOTINE FIDY ransomware wouldn’t be easy so you need to use the following removal guide to successfully do so.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shut down options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for any suspicious-looking processes that could be related to GIOTINE FIDY ransomware and then end their processes.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for suspicious programs that could be related to GIOTINE FIDY ransomware and then uninstall them.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components created by GIOTINE FIDY ransomware like MyRansom.exe and other dubious files and then make sure to delete them all.
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name] this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by GIOTINE FIDY ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 14: Delete the registry keys and sub-keys created by GIOTINE FIDY ransomware.
Step 15: Close the Registry Editor and empty the contents of the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if GIOTINE FIDY ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To ensure the removal of GIOTINE FIDY ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now” button.