.GRHAN Files Virus (Matrix) - How to Remove It

.GRHAN Files Virus (Matrix) – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

remove grhan files virus matrix ransowmare sensorstechforum guide

This article explains the issues that occur in case of infection with .GRHAN files virus and provides a complete guide on how to remove malicious files and how to potentially recover files encrypted by this ransomware.

A ransomware virus named after the extension it appends to corrupted files .GRHAN has recently been detected in the wild. In case of infection with this threat, you won’t be able to access information stored by valuable files due to significant transformations of their original code. Such a devastating impact is used by hackers who attempt to blackmail you into paying them a ransom for .GRHAN files decryption.

Threat Summary

Name.GRHAN Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA data locker ransomware that utilizes two sophisticated cipher algorithms to encode target files and extort a ransom payment from victims.
SymptomsImportant files are locked and renamed with .GRHAN extension. They remain unusable until their original code is recoverd.
Distribution MethodSpam Emails, Email Attachments, Infected Installers
Detection Tool See If Your System Has Been Affected by .GRHAN Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .GRHAN Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.GRHAN Files Virus – Distribution

The payload file of the so-called .GRHAN files virus has probably managed to access your computer by being a part of a spam email. Emails that attempt to deliver malicious code on users’ devices are often designed as representatives of well-known businesses, websites, and even governmental institutions. This trick aims to mislead you and make you more prone to start the malicious code on your PC without noticing its presence.

As regards the malicious code that triggers ransomware infection it is usually disguised as file attachment of common type such as document, image, archive, PDF or as a URL address to an infected web page. Text messages presented by emails part of malspam campaigns usually attempt to provoke a sense of urgency and this way lure you into opening affected elements on your device as soon as possible.

In order to stay safe in future we recommend you to check our forum for several safety tips. They could help you prevent ransomware infections like .GRHAN from infecting your system.

.GRHAN Files Virus – Overview

A strain of

Update November 2017! Remove Matrix ransomware fully. Follow the Matrix ransomware removal instructions given at the bottom of the article.
Matrix ransomware has been spotted in the wild. It is associated with the extension .GRHAN and that’s why the threat is called .GRHAN crypto virus. Like its predecessors, .tro virus is designed to interfere with main system settings which in turn enable it to encrypt target files.

An infection with .GRHAN ransomware virus could be triggered by a payload file. Such a file usually contains a variety of commands that support the infection process. At first, it is likely to initiate the creation of additional malicious files on the system. Once the ransomware establishes these files it starts executing them in a predefined order. This process leads to the completion of all infection stages.

Before .GRHAN could reach the main stage of its infection – data corruption, it needs to access some system components in order to apply changes that will enable it to evade detection and obtain a persistent presence. Usually, the Registry Editor is among the affected components.

This could be explained by the fact that its powerful functionalities control large number of processes related to the performance of installed apps and the operating system itself. Where you should check for malicious entries is definitely under the Run and RunOnce registry keys:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Since these keys have the functionality to cause programs to run each time that a user logs on, they are often targeted by ransomware viruses like .GRHAN

Soon after the ransomware completes all infection stages, it drops the text file !README_GRHAN!.rtf and loads it on the screen. The purpose of this message is to blackmail you into transferring hackers an unspecified amount of money converted in Bitcoin as a ransom fee for corrupted files.

Beware, that even a successful ransom payment does not guarantee the recovery of your encrypted files.

.GRHAN Files Virus – Encryption Process

After the ransomware manages to plague all needed system components it activates an in-built encryption module to complete the main infection stage. During this stage, .GRHAN files virus applies changes to the original code of target files with the help of two sophisticated cipher algorithms – RSA 2048 bit and AES 128 bit.

As a result, corrupted files receive the extension .GRHAN and remain inaccessible until their code is recovered to its original state.

Like previous variants of Matrix ransomware variant, .GRHAN is likely to corrupt types of files that store valuable data such as:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

Remove .GRHAN Files Virus and Restore Data

The ransomware associated with .GRHAN extension is a threat with highly complex code that plagues not only your files but your whole system. So you should properly clean and secure your infected system before you could regularly use it again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove this ransomware. Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Steps there enable you to check the infected system for ransomware files and remove them with a few mouse clicks.

In order to keep your system safe from ransomware and other types of malware in future, you should consider the installation of a reliable anti-malware program. As an additional security layer that could prevent the occurrence of ransomware attacks you could install an

With the different types of ransomware emerging and evolving on a daily basis, a need for better protection against such viruses arises. A more specific kind of protection is always necessary, in addition to any anti-malware tools. The following article...Read more
anti-ransomware tool.

If you want to understand how to potentially fix encrypted files with the help of alternative data recovery approaches, make sure to read carefully all details mentioned in the step “Restore files”. We remind you that before you begin with the data recovery process, you should back up all encrypted files to an external drive as this will help you to prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share