Cyber Security

Snatch Ransomware Variant "Gvlbsjz" Implements New Encryption Cypher

Gvlbsjz is a new ransomware threat that belongs to the Snatch ransomware family. It is a dangerous file-locker developed to extort ransom payments from victims. Once Gvlbsjz infects a device, it will start a scan to detect user-generated data and files. The ransomware looks for pictures, music, databases, archives, backups, and anything else that might be valuable to the users.

Upon finishing the scan, Gvlbsjz will initiate an encryption routine to encrypt files using a powerful cipher. The virus also adds the ".gvlbsjz" extension to all encrypted files. For example, a file named "pictures.rar" will get renamed to "pictures.rar.gvlbsjz."

Users can see the icons of the encrypted files, but they cannot open, edit, or view them. Gvlbsjz's ransom note promises the solution to the problem it creates. 

Ransom Note

Gvlbsjz ransomware drops a text file called "HOW TO RESTORE YOUR FILES.TXT" at the victim's desktop.

Ransom Note Text:

Hello! All your files are encrypted and only I can decrypt them.

Contact me: or

Write me if you want to return your files - I can do it very quickly!

The header of letter must contain extension of encrypted files.

I'm always reply within 24 hours. If not - check spam folder, resend your letter or try send letter from another email service.


Do not rename or edit encrypted files: you may have permanent data loss.

To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups)


! ! ! If you do not email me in the next 48 hours then your data may be lost permanently ! ! !

The ransom note is fairly standard as far as ransomware notes go. The message informs the victim that their files have been encrypted. The message states that the attacker can restore the data quickly, but for a price.

The ransom note doesn't mention a specific ransom. Instead, victims are instructed to contact the attackers via either the or email addresses.

Victims are given 48 hours to establish communication with the attackers. Otherwise, their data will be lost permanently.

Additionally, the attacker offers free decryption of one file as a guarantee that data recovery is possible. However, this "generous offer" has conditions. Victims can send only small files (up to 1MB) that don't contain important data.


Despite being part of a well-known ransomware family, Gvlbsjz uses a cipher that is not cracked yet. There is no third-party software that can decrypt the .gvlbsjz files without involving the criminals.

However, experts advise against paying ransoms. Not only would such an action finance crime but it also encourages the criminals to continue their malicious business.

Victims can use backups stored on external or cloud devices to restore their data. Of course, Gvlbsjz ransomware must be removed before any data recovery operation is attempted. Otherwise, the ransomware will corrupt the newly-recovered files.

How Gvlbsjz Infects Computers

Ransomware operators use various mass-distribution techniques to reach a broad spectrum of potential victims. From massive spam campaigns to pirated software and trojan horse viruses, the criminals place traps around the Web and wait for someone to take their bait.

The key to the successful ransomware distribution is not the used technique. It's the victims' naivety and carelessness.

With the exception of brute force attacks, all cyber infections are started by careless users who interact with malicious elements, such as email attachments, weaponized links, corrupted software installers, etc.

Therefore, users are encouraged to follow the cybersecurity industry's best practices, which are developed to mitigate the risk of ransomware infections.

Show More

Reactionary Times News Desk

All breaking news stories that matter to America. The News Desk is covered by the sharpest eyes in news media, as they decipher fact from fiction.

Previous/Next Posts

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button