Severity scale:  
  (98/100)

Greystars ransomware. How to remove? (Uninstall guide)

removal by Ugnius Kiguolis - - | Type: Ransomware

Greystars – a ransomware virus that uses AES and RSA ciphers to lock personal files

Greystars ransomware

Greystars is a ransomware-type cyber infection that aims at encrypting people's files using AES-256 and RSA-2048[1] cryptography algorithms. Locked data exhibit .greystars @ protonmail.com file extension, which cannot be removed or modified in any way. Following the encryption phase, the Greystars ransomware creates a HOW-TO-RECOVER-YOUR-FILES.HTML file on the desktop, which demands the user of the PC to pay 0.08 BTC ransom.

Name Greystars
Classified as Ransomware
Danger level High
Main dangers System's crash, permanent data loss, money loss, spyware infection
Main symptoms All files locked with .greystars @ protonmail.com file extension, HOW-TO-RECOVER-YOUR-FILES.HTML created on the desktop
The size of redemption 0.08 BTC (approx. 725 USD)
Email contacts greystars@protonmail.com
Download Reimage. Run an in-depth system scan with it to get rid of ransomware and its package. 

The Greystars virus enters the system via spam, corrupted RDP, fake software, and other media. Regardless of its distribution technique applied, the malware starts running corresponding .exe files and can force the system to restart.
When the virus is executed, it runs starts data encryption procedure. Crooks render a combination of AES-256 and RSA-2048 ciphers to create a unique encryption model. Besides, it downloads a bunch of related files and initiates specific changes via Command Prompt and PowerShell[2] using administrative privileges.

The Greystars malware is known for a wide specter of file-types that it is capable of encrypting. In fact, it identifies most of the files, but purpose skips certain files types, including .conf, .json, .exe, and .msi.

Typically, this particular ransomware locks data with .greystars @ protonmail.com file extension. The suffix cannot be removed in any way except by paying the ransom or using third-party data recovery tools. The second method is not yet approved yet. Besides, before starting any move toward file recovery, make sure to remove Greystars ransomware. For that, you can use Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

Hackers who have developed this malware want to make sure that you are aware of what has happened to your PC and pretend to be caring about their victims by providing step-by-step instructions on how to make the payment. All information can be found in HOW-TO-RECOVER-YOUR-FILES.HTML file, which says:

All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.You have to pay for decryption of Bitcoins.
If you want to restore them.You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q .
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email greystars@protonmail.com.
Your decrypt code is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Please write the decrypt code in the title of your email message. And don't forgot to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site.You have to register.Click “Buy Bitcoins.”And select the seller by payment method and price.
The Web Site address is https://localbitcoins.com/,or other websites.
Attention!
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.

Crooks ask the victim to email them via greystars@protonmail.com email address and then pay 0.08 BTC (approximately 725 USD) ransom asap.

According to ransomware researchers, the Greystars ransomware virus is oriented to English-speaking users and is currently translated into English language only. However, the first victims were found in China, Jordan, and the USA.

If you suspect that you have been attacked by this cyber threat, NoViruas.uk experts[3] recommend you to consider Greystars removal. Paying the ransom is not salvation since there's no guarantee that the paid decryptor will unlock your files. In the worst case scenario, instead of Greystars decryptor, crooks may send you a worm or spyware, which may leak your data or cause permanent system's crash.

Use a reliable anti-virus program to remove Greystars virus from your PC. The outdated or precarious security tool can fail to immunize some of the malicious files. Consequently, the files that you may recover using third-party recovery tools can repeatedly be locked by .greystars @ protonmail.com file extension virus.

Ransomware distribution techniques currently used

Usually, people get infected by ransomware after opening malicious spam email attachments. If he or she is asked to enable Macros to view the content of the .doc, .png or another file, he or she inadvertently execute the malicious .exe file, which stands out as a ransomware payload.

Infected .exe files carrying ransomware can also be spread in the form of “useful” software. They can camouflage reliable software tools or updates, so people can quickly fall for downloading them.

Apart from somewhat typical methods, crooks are using Exploit Kits that reveal PC's vulnerabilities and inject malicious programs misusing the bug. Another tricky way to install malicious programs is RDP hack. When people user Remote Desktop programs connected directly to the Internet, hackers can quite easily compromise them and inject ransomware using brute-force attacks.

Although spam is most frequently used dissemination strategy, malicious programs can exploit multiple vulnerabilities and trick less gullible PC users quite easily. Therefore, it's essential to get acquainted with the current secure Internet browsing tips and mind them all the time. Do not fall for suspicious ads, emails, download offers, and similar content. Besides, keep your anti-virus up-to-date.

Learn how to remove Greystars ransomware

Usually, ransomware viruses appear to be tough nuts to crack. They block anti-virus programs and use various methods to prevent detection and removal. If you are facing any obstacles when trying to remove Greystars ransomware virus, try to restart your PC into Safe Mode with Networking. That should be enough to bypass the restrictions that the virus creates and run a full system scan with a reliable anti-virus program. We would strongly recommend using Reimage or Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus tools. 

Upon Greystars removal, try to retrieve your files using third-party data recovery tools. Our research team has submitted a detailed guide on alternative data recovery methods, so we would highly recommend trying them all. NOTE: make sure to remove the virus in the first place. Otherwise, ransomware developers can delete your data permanently or encrypt it repeatedly. 

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Greystars ransomware you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Greystars ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Greystars virus Removal Guide:

Remove Greystars using Safe Mode with Networking

This method explains our visitors how to restart the PC into Safe Mode with Networking. The secure environment disables all processes, programs, and other system's components that are not necessary for Windows to boot. Ransomware falls for the list of “unnecessary items.” Thus, while in Safe Mode, you should run a scan with an updated antivirus.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Greystars

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Greystars removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Greystars using System Restore

If, however, ransomware virus managed to change boot sequence and you were not allowed to run a scan while in Safe Mode as well, here's what you should try:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Greystars. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Greystars removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Greystars from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Currently, it's not yet clear what changes the Greystars ransomware virus initiates. Therefore, once you get rid of it from the system, perform all the methods listed below to recover your files. We are pretty sure that you'll manage to recover the data, or at least the biggest part of it. 

If your files are encrypted by Greystars, you can use several methods to restore them:

Download Data Recovery Pro

This automated software recover tool will scan the system for damaged and corrupted files and retrieve all of them if possible. 

Enable the lates System Restore Point

If you were using System Restore feature on your Windows PC, then you should enable the point created before the ransomware attack. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

ShadowExplorer can recover files from Volume Shadow Copies, which are created by Windows OS by default. Unfortunately, that won't be possible if the virus removed them during the root process. 

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No Greystars decryptor developed yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Greystars and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References