Severity scale:  

Remove Greystars ransomware (Virus Removal Instructions) - Bonus: Decryption Steps

removal by Ugnius Kiguolis - - | Type: Ransomware

Greystars – a ransomware virus that uses AES and RSA ciphers to lock personal files

Greystars ransomware

Greystars is a ransomware-type cyber infection that aims at encrypting people's files using AES-256 and RSA-2048[1] cryptography algorithms. Locked data exhibit .greystars @ file extension, which cannot be removed or modified in any way. Following the encryption phase, the Greystars ransomware creates a HOW-TO-RECOVER-YOUR-FILES.HTML file on the desktop, which demands the user of the PC to pay 0.08 BTC ransom.

Name Greystars
Classified as Ransomware
Danger level High
Main dangers System's crash, permanent data loss, money loss, spyware infection
Main symptoms All files locked with .greystars @ file extension, HOW-TO-RECOVER-YOUR-FILES.HTML created on the desktop
The size of redemption 0.08 BTC (approx. 725 USD)
Email contacts
Download Reimage Reimage Cleaner Intego. Run an in-depth system scan with it to get rid of ransomware and its package. 

The Greystars virus enters the system via spam, corrupted RDP, fake software, and other media. Regardless of its distribution technique applied, the malware starts running corresponding .exe files and can force the system to restart.
When the virus is executed, it runs starts data encryption procedure. Crooks render a combination of AES-256 and RSA-2048 ciphers to create a unique encryption model. Besides, it downloads a bunch of related files and initiates specific changes via Command Prompt and PowerShell[2] using administrative privileges.

The Greystars malware is known for a wide specter of file-types that it is capable of encrypting. In fact, it identifies most of the files, but purpose skips certain files types, including .conf, .json, .exe, and .msi.

Typically, this particular ransomware locks data with .greystars @ file extension. The suffix cannot be removed in any way except by paying the ransom or using third-party data recovery tools. The second method is not yet approved yet. Besides, before starting any move toward file recovery, make sure to remove Greystars ransomware. For that, you can use Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes.

Hackers who have developed this malware want to make sure that you are aware of what has happened to your PC and pretend to be caring about their victims by providing step-by-step instructions on how to make the payment. All information can be found in HOW-TO-RECOVER-YOUR-FILES.HTML file, which says:

All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.You have to pay for decryption of Bitcoins.
If you want to restore them.You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q .
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email
Please write the decrypt code in the title of your email message. And don't forgot to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site.You have to register.Click “Buy Bitcoins.”And select the seller by payment method and price.
The Web Site address is,or other websites.
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.

Crooks ask the victim to email them via email address and then pay 0.08 BTC (approximately 725 USD) ransom asap.

According to ransomware researchers, the Greystars ransomware virus is oriented to English-speaking users and is currently translated into English language only. However, the first victims were found in China, Jordan, and the USA.

If you suspect that you have been attacked by this cyber threat, experts[3] recommend you to consider Greystars removal. Paying the ransom is not salvation since there's no guarantee that the paid decryptor will unlock your files. In the worst case scenario, instead of Greystars decryptor, crooks may send you a worm or spyware, which may leak your data or cause permanent system's crash.

Use a reliable anti-virus program to remove Greystars virus from your PC. The outdated or precarious security tool can fail to immunize some of the malicious files. Consequently, the files that you may recover using third-party recovery tools can repeatedly be locked by .greystars @ file extension virus.

Ransomware distribution techniques currently used

Usually, people get infected by ransomware after opening malicious spam email attachments. If he or she is asked to enable Macros to view the content of the .doc, .png or another file, he or she inadvertently execute the malicious .exe file, which stands out as a ransomware payload.

Infected .exe files carrying ransomware can also be spread in the form of “useful” software. They can camouflage reliable software tools or updates, so people can quickly fall for downloading them.

Apart from somewhat typical methods, crooks are using Exploit Kits that reveal PC's vulnerabilities and inject malicious programs misusing the bug. Another tricky way to install malicious programs is RDP hack. When people user Remote Desktop programs connected directly to the Internet, hackers can quite easily compromise them and inject ransomware using brute-force attacks.

Although spam is most frequently used dissemination strategy, malicious programs can exploit multiple vulnerabilities and trick less gullible PC users quite easily. Therefore, it's essential to get acquainted with the current secure Internet browsing tips and mind them all the time. Do not fall for suspicious ads, emails, download offers, and similar content. Besides, keep your anti-virus up-to-date.

Greystars crypto-ransomware virusGreystars ransomware is a malicious cyber infection that is capable of locking almost all file types.

Learn how to remove Greystars ransomware

Usually, ransomware viruses appear to be tough nuts to crack. They block anti-virus programs and use various methods to prevent detection and removal. If you are facing any obstacles when trying to remove Greystars ransomware virus, try to restart your PC into Safe Mode with Networking. That should be enough to bypass the restrictions that the virus creates and run a full system scan with a reliable anti-virus program. We would strongly recommend using Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner tools. 

Upon Greystars removal, try to retrieve your files using third-party data recovery tools. Our research team has submitted a detailed guide on alternative data recovery methods, so we would highly recommend trying them all. NOTE: make sure to remove the virus in the first place. Otherwise, ransomware developers can delete your data permanently or encrypt it repeatedly. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Greystars virus, follow these steps:

Remove Greystars using Safe Mode with Networking

This method explains our visitors how to restart the PC into Safe Mode with Networking. The secure environment disables all processes, programs, and other system's components that are not necessary for Windows to boot. Ransomware falls for the list of “unnecessary items.” Thus, while in Safe Mode, you should run a scan with an updated antivirus.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Greystars

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Greystars removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Greystars using System Restore

If, however, ransomware virus managed to change boot sequence and you were not allowed to run a scan while in Safe Mode as well, here's what you should try:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Greystars. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Greystars removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Greystars from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

Currently, it's not yet clear what changes the Greystars ransomware virus initiates. Therefore, once you get rid of it from the system, perform all the methods listed below to recover your files. We are pretty sure that you'll manage to recover the data, or at least the biggest part of it. 

If your files are encrypted by Greystars, you can use several methods to restore them:

Download Data Recovery Pro

This automated software recover tool will scan the system for damaged and corrupted files and retrieve all of them if possible. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Greystars ransomware;
  • Restore them.

Enable the lates System Restore Point

If you were using System Restore feature on your Windows PC, then you should enable the point created before the ransomware attack. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

ShadowExplorer can recover files from Volume Shadow Copies, which are created by Windows OS by default. Unfortunately, that won't be possible if the virus removed them during the root process. 

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No Greystars decryptor developed yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Greystars and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions


Your opinion regarding Greystars ransomware