Greystars Ransomware

The Greystars Ransomware is a data encryption Trojan that was reported at cybersecurity blogs on May 2nd, 2018. Computer security researchers warn that the Greystars Ransomware Trojan resembles threats like the Sequre Ransomware and the GandCrab3 Ransomware that emerged around the same date. We don't know who is behind the Greystars Ransomware since it uses compromised sites and the TOR Network to host its 'Command and Control' servers. Additionally, the ransomware operators are using mailing services by Protonmail, and there is no way to know what messages are exchanged via their email account — greystars@protonmail.com.

The Greystars Ransomware Uses a Custom AES Cipher to Render the Files Unreadable

PC users may be compromised when a corrupted Microsoft Word file is loaded onto their systems. Macro scripts are used by many threat authors to install various Trojans on computers that can't be breached directly. Lab tests have shown that the Greystars Ransomware is programmed to apply a custom AES cipher to photos, audio, video, databases, office documents and eBooks. Many researchers identify the Greystars Ransomware as a top-tier crypto-threat given that it deletes its traces on the infected devices, removes the backups created by Windows and disables the System Restore service. The encrypted data is marked with the '.greystars@protonmail.com' suffix and something like 'Day-Neutral strawberries.pptx' is renamed to 'Day-Neutral strawberries.pptx.greystars@protonmail.com.' The ransom message is presented to users as 'RECOVER-YOUR-FILES.HTML' and reads as follow:

'All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.
You have to pay for decryption of Bitcoins.
If you want to restore them.You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q.
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email greystars@protonmail.com.
Your decrypt code is XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Please write the decrypt code in the title of your email message. And don't forgot to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site.You have to register.Click "Buy Bitcoins."And select the seller by payment method and price.
The Web Site address is https://localbitcoins.com/,or other websites.
Attention!
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.'

As you can see above, the threat operators offer victims to buy a decryptor for 0.08 Bitcoin (≈736 USD/614 EUR). Payments are welcomed to the '1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q' Bitcoin wallet. Judging by the public records on Blockchain.info the crooks responsible for Greystars Ransomware have collected 215 payments at the time of research. Unfortunately, the Greystars Ransomware campaign appears to be successful relatively, and we should remind PC users that the payment of the ransom is not guaranteed to result in successful decryption of your data.

It is Safer to Load Backup Images and Recover from Them

Complying with the demands laid by the Greystars Ransomware is not encouraged. It is safer to remove the Greystars Ransomware with the help of a trusted anti-malware engine and load backups from the System Recovery disks, CDs/DVDs, USB drives, backup images, and cloud storage solutions like Dropbox, Google Drive and Microsoft's OneDrive.