Click on screenshot to zoom
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Normal system programs crash immediatelly
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Ghost Ransomware

Do you have 500 US Dollars lying around? If you do, the creators of Ghost Ransomware are in luck because you might be tricked into paying a ransom for a completely futile purpose. The creators of this infection want you to pay a ransom that equals $500 in turn for getting your files decrypted. Obviously, because such a demand is made, the attackers encrypt your files, and so this demand is not completely baseless. That being said, if you pay the ransom, you are unlikely to get a decryptor and get your files restored, which is why we do not recommend taking the risk. Of course, if you do not have money problems, you might choose to take a gamble, but we recommend against it. By reading this report, you will learn how the infection spreads, how to identify it, as well as how to delete it from your Windows operating system. Note that even if you get your files decrypted – which would be a miracle – you still need to remove Ghost Ransomware, and the sooner you take care of that, the better.

Do you know that most ransomware infections spread with the help of spam emails? The creators of this kind of malware conceal the launcher of the infection as a harmless file, and that is how victims are tricked into executing it without realizing it. Ghost Ransomware spreads using spam emails too, but it can use other security backdoors as well. Our research team emphasizes that vulnerable RDP channels could be exploited by ransomware, which is why you need to secure your system as soon as possible. When Ghost Ransomware slithers in, it creates a folder named “Ghost” in the %APPDATA% directory with the Ghost.bat, GhostHammer.dll, GhostService.exe.config, GhostService.pdb, and GhostService.vshost.exe files inside. The threat also creates files in the %HOMEDRIVE% directory, including Do_Not_Delete_codeId.txt, GhostFile.dll, GhostForm.exe, and GhostHammer.dll. It goes without saying that all of these files require removal because they help the malicious infection run. Overall, there is no doubt that the most important task for these malicious files is to encrypt data, but delivering the ransom note is very important too.

Ghost Ransomware delivers the demands of cyber criminals using a window entitled “Ghost.” This window pops up on the screen as soon as all intended files are encrypted. These include videos, music, images, text, and document files. According to the ransom note, the files are not deleted but, instead, encrypted, and the victim has the chance to recover them by paying a ransom. The message includes a link to a Blockchain page, and if you follow it, you are asked to pay a specific sum in Bitcoin that equals 500 Dollars. The ransom note delivered by the infection also asks to send a message to All of this might create an illusion that you have a solid chance to get your files decrypted. Unfortunately, we cannot give you any guarantees. Based on our experience with file-encrypting ransomware, you are unlikely to get the files with the “.Ghost” extension appended to their names decrypted. You have to decide what to do with the ransom demands, but we want to focus on deleting Ghost Ransomware. Note that this malware uses a service that keeps encrypting files, and so creating new files or replacing the corrupted ones with backup copies should not be done until removal is complete.

It is important to delete Ghost Ransomware regardless of what happens to your files or how you go about the ransom demands. The instructions below show how to erase the malicious infection manually, but we do not know if you will be able to succeed. If you are unsure about the steps shown below, you need to weigh the risk of doing more harm than good. This is one of the reasons why implementing an anti-malware program is the better option. We recommend installing this program because it can remove Ghost Ransomware automatically and because it can ensure that you do not need to deal with file-encryptors and other kinds of malware in the future. After you are done removing the threat, you can replace the corrupted files with backup copies. Hopefully, those exist because that might be your only chance to escape the trap laid by cyber attackers without a single scratch.

Ghost Ransomware Removal

  1. Tap Ctrl+Alt+Delete and select Task Manager.
  2. Go to the Processes, select the process named GhostService.exe, and click End Process.
  3. Tap Win+R keys to access Run and enter regedit into the dialog box to access Registry Editor.
  4. Move to the following registries and Delete the key named GhostService:
    • HKCU\SYSTEM\ControlSet001\services\
    • HKCU\SYSTEM\CurrentControlSet\services\
  5. Tap Win+E keys to launch Windows Explorer and enter %APPDATA% into the quick access field.
  6. Right-click and Delete the folder named Ghost (it should contain files named Ghost.bat, GhostHammer.dll, GhostService.exe.config, GhostService.pdb, and GhostService.vshost.exe).
  7. Enter %HOMEDRIVE% into the quick access field.
  8. Right-click and Delete the files named GhostForm.exe, GhostHammer.dll, and GhostFile.dll.
  9. Check the following directories and Delete malicious .exe files (the point is to delete the launcher):
    • %USERPROFILE%\Downloads
    • %USERPROFILE%\Desktop
    • %TEMP%
  10. Quickly Empty Recycle Bin and then employ a malware scanner to run a complete system scan.
Download Spyware Removal Tool to Remove* Ghost Ransomware
  • Quick & tested solution for Ghost Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.