GPCode Ransomware Removal Guide

If your computer was infected with GPCode Ransomware and you are looking for a way to remove it, then please consult our removal guide below. However, before you do that, we invite you to read this short description that may prove useful to you. In it, we discuss this ransomware’s distribution methods, features, and functions. In short, this application was designed to encrypt your personal files and demand that you pay money for the decryption key that is needed to decrypt them. The developer behind this application wants to extort money from you, but do not expect to get the promised decryption key as ransomware developers often do not keep their end of the bargain.

While this ransomware is nothing special from a programming standpoint, it is unique in selecting its targets. We have found that it targets Windows Servers through OS or RDP exploits, but this method of distribution is not very effective. Nevertheless, we have received information that some of its iterations were designed to target computers of regular users and that it was distributed through malicious email spam. The malicious emails are said to be sent to random email addresses around the globe, and they masquerade as legitimate. They contain file attachments that, when opened, drop GPCode Ransomware on the computer.

According to our research, this particular ransomware can be placed in various locations that vary with each case, so there is no reason to point out one specific locations because its executable can be placed anywhere. Not only that, but its main executable can be named randomly which makes it more difficult to detect.

We have managed to acquire this ransomware’s sample and test it. Testing has shown that GPCode Ransomware uses the AES encryption algorithm to encrypt your files and the RSA algorithm to encrypt the encryption key. Evidently, it creates a decryption key that is sent to this ransomware’s Control and Command server, so the only way to get it is to comply with the demands of its developer and may the unspecified ransom. You may be even more compelled to do that because GPCode Ransomware was designed to encrypt nearly all of the files in almost all locations on your PC with the exception of %WINDIR%. Testing has shown that it appends the files with the .LOL! extension but some of its iterations may also use the .OMG! extension. The extension does not do anything, but it indicates that the file was encrypted.

Furthermore, GPCode Ransomware is set to block certain executable applications such as Firefox and Google Chrome. Once the encryption is complete, this ransomware will drop a text file named how to get data.txt in every location a file was encrypted and place one copy in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup specifically to open the ransom note on system start up. The note suggests that you contact the developer via gpcode@gp2mail.com to get instructions on how to pay the ransom. The note also says that you can send to files as large as 5 MB to receive them decrypted as proof that the developer means business, but that is no guarantee that you will get the promised decryption key and decryptor.

Is conclusion, this ransomware is highly malicious, and there is no guarantee that you will get your files back once you have paid the ransom. It uses an advanced encryption method, and there is no way to decrypt this ransomware’s encryption using a third-party decryptor. Therefore, we recommend that you remove this malicious program using our instructions. However, since its executable is named randomly and can be dropped anywhere on your PC, we recommend that you use SpyHunter to detect it.

How to delete GPCode Ransomware

1. Go to http://www.411-spyware.com/download-sph
2. Download SpyHunter and install it.
3. Run it and select Scan Computer Now!
4. Then, hold down Windows+E keys.
5. Enter the file path in the File Explorer’s address box and press Enter.
6. Right-click the malicious file and click Delete.
7. Empty the Recycle Bin.