Gendarmerie Ransomware

Lately, our researchers noticed an increase of ransomware applications based on an open-source software called Hidden Tear, and it looks like Gendarmerie Ransomware could be one of them. However, the difference between this and other similar threats we recently researched is that this malware seems to be targeted at users speaking French. Also, it looks like instead of asking its victims to pay a ransom in Bitcoins, the malicious program’s developers wish to get payment in Neosurf coupons. As usual in exchange of a payment they offer users decryption tools. More details about Gendarmerie Ransomware will be presented in the following paragraphs and if you decide not to risk your savings we can help you get rid of the infection too by providing steps showing how to remove it manually below the text.

At the moment of writing it is still difficult to say how Gendarmerie Ransomware could be distributed since there might be various possibilities, for example, victims could receive it after opening a malicious email attachment, fake text documents or other files, infected software installers, and so on. In any case, usually, users receive such malware because they are too careless with data downloaded from the Internet or encountered while browsing malicious web pages. To avoid this from happening in the future, our specialists recommend taking extra precautions. For example, if the email attachment comes from a sender you do not know or Spam emails, it would be best not to open it or at least scan it with a reliable antimalware tool first.

From what we know the malware does not create any additional data (except ransom notes), which means it runs from the moment the user opens its launcher until its process gets stopped. Thus, the threat should be unable to restart with Windows. Soon after Gendarmerie Ransomware’s launcher is executed the malicious application might begin the encryption process. During it, the infection might lock various documents, photos, pictures, music files, videos, etc. The second extension that should be applied at the end of all enciphered files is called .hacking, for example, picture.jpg.hacking, document.docx.hacking, and so on. Needless to say, data with this particular extension should be unreadable and consequently unusable.

What’s next, users should notice text documents titled “Message_Important.txt” in all directories containing encrypted files. Translated from French the message in them says the user can recover locked data with a decryption tools that he can get if he pays a ransom and contacts the malware’s developers through email. The asked sum is one hundred euros, and as we said earlier, it must be paid in Neosurf coupons. It does not say how long does the user have to pay the ransom and does not threaten to delete all data permanently if the user does not pay, so there is no need to make any rash decision you could later regret.

If you pay the ransom, it might appear to be Gendarmerie Ransomware’s creators want more money or have no intention of helping you. What we are trying to say, is that there are no reassurances and if you decide to put up with the mentioned demands there is a possibility you could get scammed. Consequently, we advise against paying the ransom and recommend finding other ways to restore locked files, for example, recovery from backup copies. Of course, before placing any new data on the system, it might be safer to erase the malicious program first.

One of the ways to get rid of Gendarmerie Ransomware is to find its launcher and delete it manually. Users who have no idea where to look for it should see the instructions we added at the end of the text as they will mention a few possible directories. If the manual deletion process seems too long or you would instead use automatic removal features, you can install an antimalware tool as well; just make sure you pick a reliable one. For additional help, users could write a comment below the article or reach us via social media.

Erase Gendarmerie Ransomware

1. Press Ctrl+Alt+Delete.
2. Go to the Task Manager.
3. Find the malware’s process.
4. Mark this process and click End Task.
5. Exit Task Manager.
6. Tap Win+E.
7. Navigate to:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
8. Find the malicious program’s launcher.
9. Right-click the suspicious file and press Delete.
10. Close File Explorer.
11. Empty your Recycle bin.
12. Reboot the system.