Gero Ransomware

The Gero Ransomware is a file-encryption Trojan, which has the ability to encrypt a huge variety of file types, therefore ensuring that no-one will be able to access them unless they are decrypted first. Unfortunately, decrypting the files that the Gero Ransomware locks is a difficult task that cannot be completed without the assistance of the threat's authors – they are willing to sell a decryption service, but the price is rather hefty, $490 via Bitcoin.

Gero's Operators Offer Decryption for $490

Malware researchers have identified similarities between the Gero Ransomware and the STOP Ransomware so that it is safe to assume that this threat belongs to the STOP family. It uses the same email addresses for contact, the same ransom note, and an identical file-encryption routine that is impossible to crack for free. When the Gero Ransomware is initialized, it will begin to encrypt documents, images, archives, videos, and other well-used file formats immediately. Whenever a file is locked, it will add the '.gero' extension to its name. Another change that the Gero Ransomware brings is the introduction of the '_readme.txt' file, which is usually stored on the desktop. It contains a message from the attackers who state that the decryption service can be used in exchange for $490. They also warn their victims that the payment must be completed within 72 hours or the price will be doubled.

The attackers use the emails gorentos@bitmessage.ch and gerentoshelp@firemail.cc for contact. While previous variants of the STOP Ransomware had a Telegram profile available for contact, this part appears to have been discarded in the Gero Ransomware's ransom note.

Sadly, you may not be able to restore your files if they have been locked by the Gero Ransomware. It is recommended to refrain from paying the ransom fee and to look for legitimate data recovery options. Your utmost priority should be to ensure the Gero Ransomware's removal with the use of an up-to-date anti-virus tool.