Green_ray Ransomware

Green_ray Ransomware is an infection that is very easy to identify as a serious threat. It does not have a misleading interface, and it does not pretend to work in a beneficial manner. Right upon execution, this threat encrypts the files found on you operating system and then hijacks your Desktop with a wallpaper (replaced by “How to decrypt your files.jpg”) urging you to take action. This notification informs that your files got encrypted and that you have to contact green_ray@india.com (explains the name). What is more, a warning is attached claiming that your files would be destroyed if you attempted to recover them yourself. This is a scare tactic that is meant to push you into following the instructions, and the first step is contacting the email provided. The same action is requested via a TXT file ("How to decrypt your files.txt") created on your Desktop. Whether you follow these instructions or not, you will need to remove Green_ray Ransomware, and this is what this report is about.

According to our malware researchers, Green_ray Ransomware is very similar to Mahasaraswati Ransomware and Vegclass@aol.com Ransomware, both of which we have analyzed in the past. Looking at how these threats are distributed and how they are represented, it is very likely that they were created by the same creator. For example, the extension attached to the files encrypted by Green_ray Ransomware is “.id-[ID].{green_ray@india.com}.xtbl” (possibly ".id-[ID].{green_ray@aol.com}.xtbl" as well), and the extension associated with Mahasaraswati Ransomware “is.id-[ID].{mahasaraswati@india.com}.xtbl”. You must see the resemblance. Furthermore, both of these infections have been found to encrypt executable files, which is not common with most other ransomware infections that we have analyzed in our internal lab. As you might understand – or you might have witnessed it yourself – the encryption of .exe files might paralyze browsers, antivirus tools, malware scanners, and other applications. Of course, that does not mean that it is impossible to remove malicious infections from your computer. What you can do is use a different computer to download the software you want to install and transfer the installers onto the corrupted PC using an external drive (e.g., flash drive). You can use this method when removing the ransomware as well.

Just like its clones, Green_ray Ransomware spreads mostly via spam emails. Other methods of distribution might be employed, but it is most likely that that you will execute this threat yourself by opening corrupted attachments sent to you via email. It is important to acknowledge this, as it could help you prevent malware from attacking your PC in the future. Users are often overconfident about their knowledge of malware, and they underestimate the skills of cyber criminals. In reality, malware creators work hard to conceal their threats or make them appear something they are not, to make you download them without suspecting a risk. For example, when it comes to spam email attacks, cyber crooks might use the names and logos of banks, post and delivery services, flight carriers, and other reputable companies just to fool you. If you are not vigilant, the next unfamiliar attachment you open could be used to infiltrate malware. So, be careful, do not trust unfamiliar senders, and certainly do not open files that represent unexpected files.

Once you email the creators of the ransomware, you should receive a reply asking to pay a ransom in return of the decryption of your files. While we cannot tell you what to do, we certainly recommend thinking long and hard about paying the ransom because you are at risk of losing a lot of money without a reason. First of all, cyber criminals might not hold their end of the deal. Second, you might be able to restore your files in other ways. If you have set up a system restore point before the attack, you might be able to reverse the damage, as Shadow Volume Copies are not deleted by this ransomware. If that does not work or a system restore point simply does not exist, look into third-party decryption tools. When it comes to deleting Green_ray Ransomware, you have to be very smart about your actions. Manual removal is not always the easiest option, and it is wise to look into automated anti-malware software. This software is particularly helpful if other threats are present or if you want to enable full-time protection against malware in the future.

Green_ray Ransomware Removal

N.B. The executable representing this ransomware has the name of a file you downloaded yourself, and you might have downloaded it in a different location. If you cannot find the malicious .exe file, scan your PC to locate it.

1. Launch Explorer (you can do this by tapping Win+E keys on the keyboard).
2. Type %APPDATA% into the address bar and tap Enter.
3. Right-click and Delete the malicious executable (format: [randomname].exe).
4. Type %UserProfile% into the address bar and tap Enter.
5. Right-click and Delete the file called How to decrypt your files.jpg.
6. Exit Explorer and move to the Desktop.
7. Right-click and Delete the file called How to decrypt your files.txt.
8. Launch RUN (you can do this by tapping Win+R keys on the keyboard).
9. To launch Registry Editor enter regedit.exe into the RUN box.
10. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
11. Right-click and Delete the value with a random name (e.g., odgdgdem) with the value data pointing to C:\Users\[user]\AppData\Roaming\[randomname].exe or a similar directory.
12. Navigate to HKEY_CURRENT_USER\Control Panel\Desktop.
13. Right-click and Delete the value named Wallpaper (value data: C:\Users\[user]\How to decrypt your files.jpg).