GrujaRSorium Virus – How to Remove It (Restore Affected Data)

GrujaRSorium Virus – How to Remove It (Restore Affected Data)

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove GrujaRSorium Virus. Follow the ransomware removal instructions provided at the end of the article.

GrujaRSorium Virus is one that encrypts your data and demands money as a ransom to get it restored. Files will receive the .GrujaRS extension. The GrujaRSorium Virus will leave ransomware instructions as a desktop wallpaper image. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

NameGrujaRSorium virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files by placing the .GrujaRS before the affected files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by GrujaRSorium virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss GrujaRSorium virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

GrujaRSorium Virus – Distribution Techniques

The GrujaRSorium virus is a ransomware that targets users worldwide with several large-scale campaigns. It appears that there are already several different samples of it used simultaneously which leads us to believe that there may be different operators and groups leveraging it as a tool. Its origins may be found in the hacker underground markets where the original developers may offer customization options for a given price. Another hypothesis is that the different groups make use of an original source code found online. They implement the desired changes by themselves.

The various criminal groups can use popular strategies in order to coerce computer users into infecting themselves. One of the main methods is the use of email SPAM messages that are designed to appear as being sent by companies, services and portals that the users might use. The phishing scams can resolve around various strategies and scenarios, in almost all cases the users are lured into interacting with a malicious element in the body contents. This can be a redirect link to a virus download page or to the malware file itself. In rare cases the GrujaRSorium virus files may be attached directly to the emails.

In relation to this the hacker-created malware sites that are used to spread the virus files. They can use similar sounding domain names to real-world companies, harvest their design and even implement security certificates. Together with the emails and file-sharing networks like BitTorrent they are the main distribution tactics of malicious payloads. They are infected files that can lead to the virus infection. A classic example is the malware document where the embedded scripts will initiate the virus download and execution. They can be of any of the popular file types: presentations, rich text documents, spreadsheets and databases. Upon opening them a notification prompt will appear asking the users to enable the built-in macros. If this is done then the infection will follow. Another variant is the infected software installers which are made by taking the legitimate setup files from their official vendors. They are then modifide to include the virus deployment commands in them.

Large-scale infections can be done by creating browser hijackers for the most popular web browsers. They are uploaded to their respective repositories with fake user reviews and developer credentials. The descriptions usually promise new features or performance optimizations. However once installed they will modify the browser settings to point to a hacker-controlled page from where the ransomware file can be acquired.

GrujaRSorium Virus – Detailed Analysis

The GrujaRSorium virus begins the infection with the launch of a data harvesting module. Depending on its exact configuration it can harvest only a limited amount of information or an extensive list of data. The information can be grouped into two categories:

  • Private User Data — The collected information can be used to expose the identity of the users. This is done by looking for strings such as their name, address, interests and any stored account credentials. This is done by searching the operating system, file system and the associated data of all third-pary installed applications.
  • Hardware Profile — The engine can harvest a list of the installed hardware components and other useful information such as certain user setings and operating system variables. They can be used to generate an unique victim ID associated with each individual infected host.

This information can then be used by a stealth bypass component which can hide its presence from the operating system and any security software that might be installed on the system. This can be done by looking for application strings and deleting files used by them, as well as disabling their real-time engines. It can also disable virtual machines and debug environments which are used for analyzing the strains..

At this point the malware will have the ability o create its own processes, including ones with administrative privileges. The GrujaRSorium virus can modify the Windows Registry by creating new entries for itself and modifying other existings ones. Changes to services or applications can render them unusable or cause severe performance issues.

A related action is the setup of the GrujaRSorium virus as a persistent threat where the system configuration will be changed to reflect this. The ransomware engine will be launched every time the computer boots. As a consequence access to the boot recovery menu and system restore points may be blocked. This can render most manual user removal instructions invalid. In such cases only a quality anti-spyware solution will remedy the infection.

The GrujaRSorium virus has been found to interact with the Windows Volume Manager allowing it to access connected removable storage devices and network shares allowing it to spread further.

The ransomware infections can be used to spread other malware threats as well. This is particularly useful for Trojan horses which are among the most dangerous types of viruses. They consist of a slave client which establishes a secure connection to a hacker-controlled server. It can be used to spy on the victims, hijack their data and infect the systems with other threats.

GrujaRSorium Virus – Encryption Process

When all prior modules have completed execution the ransomware engine will be called. Like other popular malware of this type it will use a built-in list of target file type extensions. One of the acquired samples has been analyzed to target the following extensions:

.7z, .asp, .aspx, .avi, .bc6, .bc7, .bkf, .bkp, .cas, .csv, .d3dbsp, .doc, .docx, .fos,
.gdb, .gho, .hkdb, .hplg, .html, .hvpl, .ibank, .icxs, .itdb, .itl, .itm, .m4a, .map, .mdb, .mdbackup,
.mddata, .mov, .mp4, .odt, .php, .pkpass, .png, .ppt, .pptx, .psd, .qdf, .qic, .rar, .sb, .sid, .sidd,
.sidn, .sie, .sis, .sql, .sum, .svg, .syncdb, .t12, .t13, .tax, .txt, .vdf, .wma, .wmo, .wmv, .xls, .xlsx,
.xml, .zip, .ztmp

The affected files will be renamed according to the predesigned configuration files. Files encrypted by the GrujaRSorium virus have been found to be assigned with the following extensions:

  • .aes
  • .aesed
  • .GrujaRS

Instead of a traditional ransomware note that desktop background will be changed with the following message:

all your files have been encrypted, if you want to restore it, send 1 encrypted file to it email:
ATTENTION!! You have 1 week to contact us, after 1 week, decrypting has been inposible
* – realy not restore!

The following pop-up message is also generated:

All files have been encrypted using unique 32 chars, and AES-256 + RSA-4096 (encryption has not never)!
Your files DESTROYED! GrujaRS faggot

Remove GrujaRSorium Virus and Try to Restore Data

If your computer system got infected with the .GrujaRS ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share