Grovas ransomware is a threat that locks files by using AES encryption algorithm and then demands $980 for the decryptor

Grovas ransomware is yet another variant of Djvu virus family, which was discovered shortly after similar versions – .drume, .chech and .kropun. The malware is known to use contaminated executables hosted on pirated software hosting sites or via spam email attachments/hyperlinks. Soon after the infection, the virus scans the device for files to encrypt – photos, videos, documents, etc. then receives a file extension .grovas. It then contacts a remote Command & Control server[1] to send out a unique identifier and receives a decryptor. The communication also provides the victim with a ransom note _readme.txt, and the body text is identical to previous versions of STOP/Djvu. It explains that users have to contact bad actors via merosa@india.com or merosa@firemail.cc and pay $980 in Bitcoin to retrieve the decryption key.
| Name | Grovas |
| Type | Ransomware |
| Family | STOP/Djvu |
| Infection means | Spam emails, malicious executables on pirated software hosting sites |
| Cipher used | AES-256 |
| File extension | .grovas |
| Related files | _readme.txt, 18B1.tmp.exe |
| Ransom size | $980 or $490 with a 50% discount |
| Decryptable? | No |
| Termination | Scan your PC with professional security software |
| Recovery | Use FortectIntego to restore Windows to its previous state |
STOP ransomware family, which this virus belongs to, is one of the most prominent malware strings currently. Not so long ago, security researchers uncovered that some versions of also deliver data-stealer AZORult. For that reason, it is vital to remove Grovas ransomware, along with secondary payloads, as soon as possible.
Users who get infected with the ransomware usually panic, as the presence of the infection is can be noticed straight away. For example, each file that the user tries to open, will not work: a picture.jpg will be turned into picture.jpg.grovas. Additionally, users will be able to view the ransom note that explains everything:
ATTENTION!
Don’t worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-hK4tAv2Ed9
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
merosa@india.comReserve e-mail address to contact us:
merosa@firemail.ccYour personal ID:
As evident, hackers want to gain victims' trust by offering test decryption, allegedly guaranteeing the decryptor if payment would be made. However, how can you trust somebody that deceived you into installing the Grovas file virus onto your device? These people are crooks, and should never be trusted.
Therefore, do not listen to hackers and do not contact them. Instead, use a security application for the ransomware removal. The malware is recognized by AV vendors using the following names:[2]
- TR/AD.InstaBot.A
- Trojan.GenericKD.41149918
- a variant of Win32/Kryptik.GRJK
- Trojan.MalPack.GS
- Generic.mg.b8b3314dbc239f71
- ML.Attribute.HighConfidence
- Trojan:Win32/Skeeyah.A!rfn, etc.
Once you terminate the Grovas ransomware, you can attempt to recover your data. If you do not have backups, you can try third-party software that might be able to help. Finally, you should also scan your PC with FortectIntego in order to recover from malware infection.

Comprehensive precautionary measures might prevent ransomware from locking your files
There are several ransomware distribution methods; some of them are more primitive (spam emails), others – more sophisticated (exploit kits). Be aware that each of the crypto viruses might be delivered using whichever methods the attackers want, and, in most cases, they employ several different means.
Therefore, you should always be aware that only running security software on your device is not enough. Thus, security experts[3] recommend taking up these preventive measures:
- Backup all your personal files on a remote server or an external device (Flash, HDD);
- Spam emails that include hyperlinks or attachments most likely contain the malicious payload of ransomware – scan with tools like Virus Total before opening;
- Install additional security tools: real-time scanners, anti-exploit software, Firewall, etc.;
- Keep your operating system and all the installed programs up to date;
- Use an ad-blocker (however, do not forget to add exclusions to sites you want to support);
- Do not download/use cracks or keygens.
Rely on the guide that helps with proper malware removal
Grovas virus is ransomware, so it is a sophisticated computer infection that should not be terminated manually. The threat performs a variety of changes to Windows OS, so restoring them manually would be almost impossible (at least for regular users). Therefore, to remove the ransomware, you should rely on powerful security software.
If you do not have a security application installed, download and install a reliable one. Before scanning your device, use our instructions to enter Safe Mode with Networking in order to disable the virus temporarily. Once you complete Grovas ransomware removal, you can attempt the file recovery using third-party tools. Additionally, you should store the locked files somewhere in case alternative options do not work, as security researchers already deciphered many of STOP ransomware versions.
Was this guide helpful?
Be the first to comment