Greystars Ransomware

The Greystars Ransomware is a file-locking Trojan that uses a combination of the AES and RSA encryptions for keeping you from opening documents, pictures and other media. While this threat also creates messages demanding Bitcoin payments for the unlocking solution, any victims should try recovering their files through other methods before submitting to extortion. Malware experts rate this threat as a danger to most files on your PC and encourage uninstalling the Greystars Ransomware safely, or blocking its installation, with dedicated anti-malware applications.

A Star of Secure Encryption Attacks is Rising

The difference between a 'quick and dirty' encryption attack and a secure one, is often the gap between an easily reversible hostage-taking attempt and the permanent loss of your file data. Unfortunately, the added effort of securing an encryption routine isn't onerous to threat actors necessarily. Malware experts see it reoccurring across a range of Trojans, from the 2016's Nuke Ransomware and the '.razy1337 File Extension' Ransomware, up to the present day Satyr Ransomware, Spartacus Ransomware and the Greystars Ransomware campaigns.

The Greystars Ransomware, the subject of this article, uses an initial layer of the AES-256 encryption that it protects with a second degree of the RSA-2048. Although it targets most formats of files, the Trojan also configures the attack for avoiding some types, such as executables, Windows program installers and the JavaScript's JSON. As usual, the encryption makes all 'personal' file types non-opening, while avoiding damaging the system's installed applications and essential OS components.

Malware researchers also are verifying other details of the Greystars Ransomware's attacks, which provide additional support for the extortion-related phase of its infections. These features include:

• The Greystars Ransomware may download other files from non-local sources by abusing hidden CMD commands and the Windows PowerShell program, including giving itself admin privileges. Threat actors can use this capability for the provision of different ransoming messages (as noted below).
• The Greystars Ransomware generates local Web pages for making its ransoming demands to any victims. This warning message provides a non-dynamic e-mail address and Bitcoin wallet, which the threat actor uses for accepting payment before, theoretically, giving the victim a decryption code. Malware experts also note very similar messages from the Scorpio Ransomware and other Trojans from the Scarab Ransomware family, although this fact doesn't indicate that the Greystars Ransomware also is a member necessarily.

Keeping the Ill Starlight from Shining on Your Files

The Greystars Ransomware campaign is focusing on specific nations, so far: the United States, China and Jordan. However, its payload is just as compatible with the files of PCs elsewhere, and malware researchers are seeing no indications that the Greystars Ransomware is terminating itself without locking files when running in different environments (which it could determine via the system's IP address or local language settings, for example). Only English-based versions of the Greystars Ransomware are matters of public record.

Threat actors could be bundling the Greystars Ransomware into various downloads, such as gaming software circulating on file-sharing networks or as e-mail attachments. Due to the unlikeliness of breaking the AES and RSA encryptions without unforeseen glitches in the Greystars Ransomware's code, malware experts urge all PC users to keep backups of their files for any recovery purposes necessary, after an infection particularly. However, standard anti-malware programs also should delete the Greystars Ransomware before it begins encrypting your media.

Although the Greystars Ransomware's 0.08 Bitcoin ransom may sound small, it's over seven hundred dollars in US dollars. If your files are worth that much money, they also ought to be worth taking the time for protecting them from file-locking threats and their increasingly widespread attacks.