Home Malware Programs Ransomware GEROSAN Ransomware

GEROSAN Ransomware

Posted: August 27, 2019

The GEROSAN Ransomware is a file-locking Trojan from the STOP Ransomware family, a Ransomware-as-a-Service. These threats will keep files on your computer from opening out of hopes of selling their victims a possible unlocking service. Let your anti-malware products block or uninstall the GEROSAN Ransomware appropriately and maintain safe backups for preserving your files.

The STOP Ransomware can't Stop, will not Stop

Ransomware-as-a-Service defines itself by several, mainstay features and nigh-universal characteristics, including agile development and administration between different threat actors who pay for the service. Accordingly, it's not shocking that a new variant of the STOP Ransomware is in the wild: the GEROSAN Ransomware. Malware experts require further samples for confirming its build, but most variants of the RaaS family today are modernized releases with limited compatibility with the public's free, file-recovering options.

The GEROSAN Ransomware uses AES-based encryption with additional RSA security for locking your PC's files. This attack also includes a filename extension-based label of 'gerosan' that's strictly cosmetic. Although most Windows users will consider resetting to a previous Restore Point, the GEROSAN Ransomware's family also includes a CMD-based feature for deleting these default backups.

The GEROSAN Ransomware drops a ransom note, as well, which is a text file that adheres to the past template that malware analysts note in campaigns like those of the Cetori Ransomware, the Krusop Ransomware, the Pedro Ransomware or the Todar Ransomware. Some of its typical attributes include a shared Bitmessage address, a two-day limit on the 'best' ransom price of 490 USD, and a website link, supposedly, to a demo of the decryptor. Users shouldn't interact with this link without significant browser protection since criminals can use them for hosting additional threats, such as drive-by-downloads.

Culling the Cash from Trojan Business Models

Although there's little risk of the GEROSAN Ransomware's victims not identifying it correctly, doing so doesn't provide an immediate answer to its encryption damage. Its encryption routine affects most, widely-used formats of media, such as documents and images, and is decryptable rarely. Users who prevent the Trojan, either accidentally or on purpose, from contacting its C&C server have the best chance of decrypting their media with publicly-available software.

For those without that solution, they still should avoid paying the ransom, if possible. Multiple threat actors administrate Ransomware-as-a-Service campaigns, not all of whom are reliable, concerning their decryption negotiations. When accounting for this uncertainty, malware analysts still advise storing backups on safe, non-local devices as the best counter to the GEROSAN Ransomware infections.

Anti-malware products from most, reputable companies also should delete the GEROSAN Ransomware without problems and block the usual installation attempts through Exploit Kits, e-mail, torrents, etc.

As the GEROSAN Ransomware comes for the digital media worth ransoming, diminishing its hopes for money is a burden that all Windows users carry. A proper backup isn't just a way of saving your work, but of stopping an illicit business from thriving.

Loading...