GetCrypt Ransomware [ #GetCrypt ]

BleepingComputer has published an article covering a new ransomware family called GetCrypt being distributed through malvertising campaigns. The campaigns redirected users to a site hosting the RIG exploit kit, which was used to try and exploit vulnerabilities found on the computer.

Successful exploitation led to the download of the GetCrypt ransomware that first checks the victim host’s language and terminates if it is set to Ukrainian, Belarusian, Russian, or Kazakh. If it is not terminated, it first clears all volume shadow copies to prevent potential recovery efforts. It then scans the system to identify files to be encrypted and performs the encryption using the Salsa20 and RSA-4096 encryption algorithms.

GetCrypt ransom note

A ransom note is left behind demanding payment in exchange for the decryption key. Along with encrypting accessible network drives, this malware is unique in its use of brute force attacks to attempt to mount shares requiring additional authentication. BleepingComputer notes that a decryption tool has been released to assist in the recovery of files without ransom payment.

If you were infected with the GetCrypt Ransomware, it is possible to get your files back for free. All you need is a original unencrypted copy of a file that has been encrypted. Details on how to do this can be found here.

Search of this SHA256 on VirusTotal website

Indicators of Compromise


  • 8d833937f4da8ab0269850f961e8a9f963c23e6bef04a31af925a152f01a1169

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: