The GruxEr Ransomware is a ransomware Trojan that is based on Hidden Tear, an open source ransomware platform that was released in 2015. Today, countless ransomware variants are descendants of Hidden Tear, and the GruxEr Ransomware, released in May 2017, is just one of many other ransomware Trojans being created using this platform. The GruxEr Ransomware is not being distributed widely currently but is capable of carrying out highly effective ransomware attacks. The GruxEr Ransomware uses a ransom note in English and carries out a typical ransomware tactic, encoding the victim's files and then demanding the payment of a ransom from the victim. The GruxEr Ransomware is designed to work as a 32-bit application and will infect computers running practically any version of the Windows operating system.
How the GruxEr Ransomware Infection Works
The GruxEr Ransomware may be delivered to the victims' computers using corrupted email attachments. Once the GruxEr Ransomware has been installed, it will encrypt the victim's files using a strong encryption algorithm, making the files inaccessible. The GruxEr Ransomware will then display a message with the following text:
'Files has been encrypted with hidden tear
Send me some bitcoins or kebab
And I also hate night clubs, desserts, being drunk.
The GruxEr Ransomware has been observed to use various executable files named differently, with names such as worm.exe, tears.exe, gruxer.exe and holy.exe. Once the GruxEr Ransomware finishes its attack, it will deliver its ransom note in the form of a text file named 'READ_IT.txt,' which informs the victim of the attack and demands the payment of a ransom. The GruxEr Ransomware uses a combination of the AES and RSA encryptions to make the victim's files inaccessible. The GruxEr Ransomware saves its decryption key on its Command and Control server, away from the victim or security software, making it nearly impossible to recover the affected files. The GruxEr Ransomware does not include an email address to contact the people responsible for the attack. The victim is asked to pay to a certain BitCoin wallet. Supposedly, the con artists will send the decryption key to the victim after the payment is carried out. The following text is displayed in the GruxEr Ransomware ransom note:
'----- ATTENTION! DO NOT SHUT OFF YOUR COMPUTER -----
Your personal files have been encrypted by the GruxEr Ransomware
Your documents, photos, databases and other important files have been encrypted with the strongest encryption known to man. And is secured with a unique key, generated for this computer. The private decryption key is stored on a secret Internet server, and nobody can decrypt your files until you pay to obtain your key.
You must pay $250 in Bitcoin to the bitcoin address below. If you do not have Bitcoin visit the site Localbitcoins and purchase $250 USD worth of bitcoin. Within 2 minutes of receiving your payment, an automated bot will send your computer your personal decryption key.
You have 72 hours to submit the payment. If you do not send the money within the provided time, all your files will be permanently crypted and no one will ever be able to recover them.
□ I made the payment'
Dealing with a GruxEr Ransomware Infection
PC security researchers recommend that computer users refrain from paying the GruxEr Ransomware ransom. Apart from the fact that it is unlikely that the con artists will help the victims recover the affected files, paying the GruxEr Ransomware ransom allows these people to continue creating ransomware Trojans and claiming more victims during these attacks. Instead of paying the ransom, malware analysts advise computer users to remove the GruxEr Ransomware with a security program and then restore the affected files from a backup. Having backup copies of all files on an external memory device or the cloud is the best protection against the GruxEr Ransomware and other ransomware Trojans. File backups undermine the attack by removing any leverage the con artists have over the victim completely and allow computer users to limit the potential damage of these infections.