Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · May 2018

How to remove Greystars ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Ugnius Kiguolis · The mastermind

Greystars – a ransomware virus that uses AES and RSA ciphers to lock personal files

Greystars ransomware

Greystars is a ransomware-type cyber infection that aims at encrypting people's files using AES-256 and RSA-2048[1] cryptography algorithms. Locked data exhibit .greystars @ protonmail.com file extension, which cannot be removed or modified in any way. Following the encryption phase, the Greystars ransomware creates a HOW-TO-RECOVER-YOUR-FILES.HTML file on the desktop, which demands the user of the PC to pay 0.08 BTC ransom.

Name Greystars
Classified as Ransomware
Danger level High
Main dangers System's crash, permanent data loss, money loss, spyware infection
Main symptoms All files locked with .greystars @ protonmail.com file extension, HOW-TO-RECOVER-YOUR-FILES.HTML created on the desktop
The size of redemption 0.08 BTC (approx. 725 USD)
Email contacts greystars@protonmail.com
Download FortectIntego. Run an in-depth system scan with it to get rid of ransomware and its package. 

The Greystars virus enters the system via spam, corrupted RDP, fake software, and other media. Regardless of its distribution technique applied, the malware starts running corresponding .exe files and can force the system to restart.
When the virus is executed, it runs starts data encryption procedure. Crooks render a combination of AES-256 and RSA-2048 ciphers to create a unique encryption model. Besides, it downloads a bunch of related files and initiates specific changes via Command Prompt and PowerShell[2] using administrative privileges.

The Greystars malware is known for a wide specter of file-types that it is capable of encrypting. In fact, it identifies most of the files, but purpose skips certain files types, including .conf, .json, .exe, and .msi.

Typically, this particular ransomware locks data with .greystars @ protonmail.com file extension. The suffix cannot be removed in any way except by paying the ransom or using third-party data recovery tools. The second method is not yet approved yet. Besides, before starting any move toward file recovery, make sure to remove Greystars ransomware. For that, you can use FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.

Hackers who have developed this malware want to make sure that you are aware of what has happened to your PC and pretend to be caring about their victims by providing step-by-step instructions on how to make the payment. All information can be found in HOW-TO-RECOVER-YOUR-FILES.HTML file, which says:

All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.You have to pay for decryption of Bitcoins.
If you want to restore them.You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q .
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email greystars@protonmail.com.
Your decrypt code is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Please write the decrypt code in the title of your email message. And don't forgot to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site.You have to register.Click “Buy Bitcoins.”And select the seller by payment method and price.
The Web Site address is https://localbitcoins.com/,or other websites.
Attention!
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.

Crooks ask the victim to email them via greystars@protonmail.com email address and then pay 0.08 BTC (approximately 725 USD) ransom asap.

According to ransomware researchers, the Greystars ransomware virus is oriented to English-speaking users and is currently translated into English language only. However, the first victims were found in China, Jordan, and the USA.

If you suspect that you have been attacked by this cyber threat, NoViruas.uk experts[3] recommend you to consider Greystars removal. Paying the ransom is not salvation since there's no guarantee that the paid decryptor will unlock your files. In the worst case scenario, instead of Greystars decryptor, crooks may send you a worm or spyware, which may leak your data or cause permanent system's crash.

Use a reliable anti-virus program to remove Greystars virus from your PC. The outdated or precarious security tool can fail to immunize some of the malicious files. Consequently, the files that you may recover using third-party recovery tools can repeatedly be locked by .greystars @ protonmail.com file extension virus.

Ransomware distribution techniques currently used

Usually, people get infected by ransomware after opening malicious spam email attachments. If he or she is asked to enable Macros to view the content of the .doc, .png or another file, he or she inadvertently execute the malicious .exe file, which stands out as a ransomware payload.

Infected .exe files carrying ransomware can also be spread in the form of “useful” software. They can camouflage reliable software tools or updates, so people can quickly fall for downloading them.

Apart from somewhat typical methods, crooks are using Exploit Kits that reveal PC's vulnerabilities and inject malicious programs misusing the bug. Another tricky way to install malicious programs is RDP hack. When people user Remote Desktop programs connected directly to the Internet, hackers can quite easily compromise them and inject ransomware using brute-force attacks.

Although spam is most frequently used dissemination strategy, malicious programs can exploit multiple vulnerabilities and trick less gullible PC users quite easily. Therefore, it's essential to get acquainted with the current secure Internet browsing tips and mind them all the time. Do not fall for suspicious ads, emails, download offers, and similar content. Besides, keep your anti-virus up-to-date.

Greystars crypto-ransomware virus

Learn how to remove Greystars ransomware

Usually, ransomware viruses appear to be tough nuts to crack. They block anti-virus programs and use various methods to prevent detection and removal. If you are facing any obstacles when trying to remove Greystars ransomware virus, try to restart your PC into Safe Mode with Networking. That should be enough to bypass the restrictions that the virus creates and run a full system scan with a reliable anti-virus program. We would strongly recommend using FortectIntego or SpyHunterCombo Cleaner tools. 

Upon Greystars removal, try to retrieve your files using third-party data recovery tools. Our research team has submitted a detailed guide on alternative data recovery methods, so we would highly recommend trying them all. NOTE: make sure to remove the virus in the first place. Otherwise, ransomware developers can delete your data permanently or encrypt it repeatedly. 

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.