Remove GreyStars Virus – Restore Encrypted Files by the Ransomware

Remove GreyStars Virus – Restore Encrypted Files by the Ransomware

The Greystars virus is a dangerous malware threat that has been identified in a small attack campaign. It appears that it follows the behavior tactics of GandCrab and Sequre. Its ransomware engine uses a custom AES cipher in order to encrypt the target data.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the [email protected] extensions and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Greystars


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Greystars.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Greystars Virus – Distribution Ways

The Greystars virus is distributed using the most common ranasomware spread tactics. The detected initial attack wave is limited in size and does not give out details about the primary method. We presume that the hackers may attempt to use multiple strategies at once.

A preferred method is the use of email spam messages that utilize various social engineering tricks. They attempt to coerce the target users into downloading and running the dangerous files. Using harvested text and graphics taken from well-known Internet services. As such the malware files can be either hyperlinked or attached to the email messages. They are also used to deliver payloads. Two popular examples are the following:

  • Software Installers — The Greystars virus can be embedded in application setup files. The criminals typically choose apps such as utilities, photo editing software, productivity suites or computer games.
  • Documents — The dangerous code can be embedded in documents of all types: spreadsheets, text files or presentations. When they are opened by the victims a message appears that prompts the users to enable the built-in scripts (macros). When this is done the virus is downloaded from a hacker-controlled site and started on the victim machine.

In addition the Greystars virus can be delivered to legitimate sites via malware scripts: pop-ups, banners, redirects. In some cases threats like this one can propagate across ad and affiliate networks.

Another tactic that can be employed is the use of browser hijackers. They are dangerous browser-based plugins that are malicious in nature and seek to manipulate the user’s default settings. The end goals are to redirect the victims to a specific site and also institute various system changes, including the deployment of the Greystars virus.

Greystars Virus – In-Depth Analysis

The Greystars virus is a typical ransomware strain that contains behavior tactics that is similar to both Sequre and the GandCrab family of threats. It is possible tht it might contain code from them or is merely a copy of their behavior.

The infections can begin with an information gathering component that is programmed to harvest strings. They can be classified into two main categories:

  • Personal Data — It includes information related to the victim’s identity. The strings include their name, address, interests, location, passwords and account credentials.
  • Analytics Metrics — The Greystars virus can use the built-in engine in order to harvest data that can be used for campaign metrics. Examples include the installed hardware components and certain values from the operating system.

The modular engine can be customized with additional modules such as a stealth protection. It can make use of the harvested data by looking out for specific applications that can interfere with the Greystars virus executable. Examples include anti-virus software, sandbox environments and virtual machine hosts. Advanced configurations of it can be configured to delete itself if it is not able to execute this step.

Further changes include system changes that can be different according to the campaigns. Many viruses make changes to the Windows Registry by manipulating the strings of user-installed applications or the operating system itself. As a result certain functions and service may work properly or not start at all. Overall system performance may degrade severely. The malware engine associated with the Greystaras virus can also affect the Startup options by removing the possibility to enter into the recovery menu. The virus engine can be programmed into starting every time the computer runs.

The security analysis reveals that a network connection is instituted. It is used by the hackers to serve as a Trojan like instance by spying on the victims in real time. The hacker operators can also use it to take over control of the affected computers. Like other similar threats this function can be used to drop additional threats. TheGreystars virus engine has also been found to delete the Windows backup files and the Shadow Volume Data. This makes file recovery very difficult without the use of a professional-grade solution.

Greystars Virus – Encryption Process

Once all components have executed in the prescribed order the ransomare module. It uses a custom AES cipher which can completely overwrite the victim’s data. Like other similar cases it uses a built-in list of target file type extensions that are due to be encrypted. An example list targets the following data types:

  • Archives
  • Backups
  • Databases
  • Images
  • Music
  • Videos

As a consequence the victim files are renamed with a marker extension [email protected]. The ransomware note is written in a file called RECOVER-YOUR-FILES.HTML which reads the following message:

‘All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.
You have to pay for decryption of Bitcoins.
If you want to restore them.You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q.
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email [email protected]
Please write the decrypt code in the title of your email message. And don’t forgot to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site.You have to register.Click “Buy Bitcoins.”And select the seller by payment method and price.
The Web Site address is,or other websites.
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.’

Remove Greystars Virus and Restore .Greystars Files

If your computer system got infected with the Greystars ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share