What is Greystars ransomware? And how does it execute its attack?
Greystars ransomware is a data-encrypting ransomware Trojan infection first discovered at the beginning of May 2018. According to security experts, this crypto-malware has similarities with other ransomware threats namely, Sequre ransomware and GrandCrab3 ransomware. Once the malicious payload of this ransomware is downloaded and installed in the system, it will start to execute its attack by downloading more malicious files as well as create new ones. It also modifies some Windows system files and even the Windows Registry to so it can achieve persistence. After that, it scans the system looking for certain files to encrypt. During the encryption, it uses both the AES 256 and RSA 2048 encryption algorithms. Once it’s done locking the targeted data, it will mark them with the [email protected]. Moreover, a file named “RECOVER-YOUR-FILES.html” is released which contains the following context:
“All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.
You have to pay for decryption of Bitcoins.
If you want to restore them. You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q.
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email
Your decrypt code is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Please write the decrypted code in the title of your email message. And don’t forget to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site. You have to register. Click “Buy Bitcoins.”And select the seller by payment method and price.
The Web Site address is https://localbitcoins.com/,or other websites.
1. Do not rename encrypted files.
2. Do not try to decrypt your data using third party software. It may cause permanent data loss.”
Based on its ransom note, cyber crooks behind Greystars ransomware offers its victims to buy the decryptor for 0.08 Bitcoin which is approximately around 736 USD or 614 EUR. If you are one of the users who has fallen victim to this ransomware threat, paying the ransom is not recommended as you will end up wasting your money for nothing. Instead of paying the ransom, you have to terminate Greystars ransomware from your computer before it can cause further damage to your data. Once you have terminated this ransomware, you can try alternative options to recover your encrypted data.
How is the malicious payload of Greystars ransomware distributed?
The malicious payload of Greystars ransomware is distributed via corrupted or weak RDP (Remote Desktop Protocol) services, fake software/ fake software update, and of course, malicious spam emails. Regardless of the distribution method, the ransomware starts running in a malicious “.exe” file and could force your system to restart. This is why you have to be careful in whatever you download from the web especially if the source looks shady.
To obliterate Greystars ransomware from your system, make sure to follow the removal steps below.
Step 1: Tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 2: Go to Processes and look for the malicious process of Greystars ransomware then right click on it and select End Process or End Task.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for dubious programs that might be related to Greystars ransomware and then Uninstall it/them.
Step 5: Tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below and look for malicious components of Greystars ransomware such as RECOVER-YOUR-FILES.html and [random].exe then remove them all.
Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by Greystars ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 10: Delete the registry keys and sub-keys created by Greystars ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Restore the previous state of your files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Greystars ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To ensure the removal of Greystars ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.