Greystars ransomware (Virus Removal Instructions) - Bonus: Decryption Steps

Greystars virus Removal Guide

What is Greystars ransomware?

Greystars – a ransomware virus that uses AES and RSA ciphers to lock personal files

Greystars ransomware

Greystars is a ransomware-type cyber infection that aims at encrypting people's files using AES-256 and RSA-2048[1] cryptography algorithms. Locked data exhibit .greystars @ protonmail.com file extension, which cannot be removed or modified in any way. Following the encryption phase, the Greystars ransomware creates a HOW-TO-RECOVER-YOUR-FILES.HTML file on the desktop, which demands the user of the PC to pay 0.08 BTC ransom.

Name Greystars
Classified as Ransomware
Danger level High
Main dangers System's crash, permanent data loss, money loss, spyware infection
Main symptoms All files locked with .greystars @ protonmail.com file extension, HOW-TO-RECOVER-YOUR-FILES.HTML created on the desktop
The size of redemption 0.08 BTC (approx. 725 USD)
Email contacts greystars@protonmail.com
Download ReimageIntego. Run an in-depth system scan with it to get rid of ransomware and its package.

The Greystars virus enters the system via spam, corrupted RDP, fake software, and other media. Regardless of its distribution technique applied, the malware starts running corresponding .exe files and can force the system to restart.
When the virus is executed, it runs starts data encryption procedure. Crooks render a combination of AES-256 and RSA-2048 ciphers to create a unique encryption model. Besides, it downloads a bunch of related files and initiates specific changes via Command Prompt and PowerShell[2] using administrative privileges.

The Greystars malware is known for a wide specter of file-types that it is capable of encrypting. In fact, it identifies most of the files, but purpose skips certain files types, including .conf, .json, .exe, and .msi.

Typically, this particular ransomware locks data with .greystars @ protonmail.com file extension. The suffix cannot be removed in any way except by paying the ransom or using third-party data recovery tools. The second method is not yet approved yet. Besides, before starting any move toward file recovery, make sure to remove Greystars ransomware. For that, you can use ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes.

Hackers who have developed this malware want to make sure that you are aware of what has happened to your PC and pretend to be caring about their victims by providing step-by-step instructions on how to make the payment. All information can be found in HOW-TO-RECOVER-YOUR-FILES.HTML file, which says:

All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.You have to pay for decryption of Bitcoins.
If you want to restore them.You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q .
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email greystars@protonmail.com.
Your decrypt code is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Please write the decrypt code in the title of your email message. And don't forgot to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site.You have to register.Click “Buy Bitcoins.”And select the seller by payment method and price.
The Web Site address is https://localbitcoins.com/,or other websites.
Attention!
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.

Crooks ask the victim to email them via greystars@protonmail.com email address and then pay 0.08 BTC (approximately 725 USD) ransom asap.

According to ransomware researchers, the Greystars ransomware virus is oriented to English-speaking users and is currently translated into English language only. However, the first victims were found in China, Jordan, and the USA.

If you suspect that you have been attacked by this cyber threat, NoViruas.uk experts[3] recommend you to consider Greystars removal. Paying the ransom is not salvation since there's no guarantee that the paid decryptor will unlock your files. In the worst case scenario, instead of Greystars decryptor, crooks may send you a worm or spyware, which may leak your data or cause permanent system's crash.

Use a reliable anti-virus program to remove Greystars virus from your PC. The outdated or precarious security tool can fail to immunize some of the malicious files. Consequently, the files that you may recover using third-party recovery tools can repeatedly be locked by .greystars @ protonmail.com file extension virus.

Ransomware distribution techniques currently used

Usually, people get infected by ransomware after opening malicious spam email attachments. If he or she is asked to enable Macros to view the content of the .doc, .png or another file, he or she inadvertently execute the malicious .exe file, which stands out as a ransomware payload.

Infected .exe files carrying ransomware can also be spread in the form of “useful” software. They can camouflage reliable software tools or updates, so people can quickly fall for downloading them.

Apart from somewhat typical methods, crooks are using Exploit Kits that reveal PC's vulnerabilities and inject malicious programs misusing the bug. Another tricky way to install malicious programs is RDP hack. When people user Remote Desktop programs connected directly to the Internet, hackers can quite easily compromise them and inject ransomware using brute-force attacks.

Although spam is most frequently used dissemination strategy, malicious programs can exploit multiple vulnerabilities and trick less gullible PC users quite easily. Therefore, it's essential to get acquainted with the current secure Internet browsing tips and mind them all the time. Do not fall for suspicious ads, emails, download offers, and similar content. Besides, keep your anti-virus up-to-date.

Greystars crypto-ransomware virusGreystars ransomware is a malicious cyber infection that is capable of locking almost all file types.

Learn how to remove Greystars ransomware

Usually, ransomware viruses appear to be tough nuts to crack. They block anti-virus programs and use various methods to prevent detection and removal. If you are facing any obstacles when trying to remove Greystars ransomware virus, try to restart your PC into Safe Mode with Networking. That should be enough to bypass the restrictions that the virus creates and run a full system scan with a reliable anti-virus program. We would strongly recommend using ReimageIntego or SpyHunter 5Combo Cleaner tools.

Upon Greystars removal, try to retrieve your files using third-party data recovery tools. Our research team has submitted a detailed guide on alternative data recovery methods, so we would highly recommend trying them all. NOTE: make sure to remove the virus in the first place. Otherwise, ransomware developers can delete your data permanently or encrypt it repeatedly.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Greystars virus. Follow these steps

Manual removal using Safe Mode

This method explains our visitors how to restart the PC into Safe Mode with Networking. The secure environment disables all processes, programs, and other system's components that are not necessary for Windows to boot. Ransomware falls for the list of “unnecessary items.” Thus, while in Safe Mode, you should run a scan with an updated antivirus.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Greystars using System Restore

If, however, ransomware virus managed to change boot sequence and you were not allowed to run a scan while in Safe Mode as well, here's what you should try:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Greystars. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that Greystars removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Greystars from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

Currently, it's not yet clear what changes the Greystars ransomware virus initiates. Therefore, once you get rid of it from the system, perform all the methods listed below to recover your files. We are pretty sure that you'll manage to recover the data, or at least the biggest part of it. 

If your files are encrypted by Greystars, you can use several methods to restore them:

Download Data Recovery Pro

This automated software recover tool will scan the system for damaged and corrupted files and retrieve all of them if possible. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Greystars ransomware;
  • Restore them.

Enable the lates System Restore Point

If you were using System Restore feature on your Windows PC, then you should enable the point created before the ransomware attack. 

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use ShadowExplorer

ShadowExplorer can recover files from Volume Shadow Copies, which are created by Windows OS by default. Unfortunately, that won't be possible if the virus removed them during the root process. 

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No Greystars decryptor developed yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Greystars and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

 

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Ugnius Kiguolis
About the company Esolutions

References