Grod Ransomware

Grod Ransomware is named that way because it adds the “.grod” extension to the files that are corrupted by it. This extension has only one purpose, and that is to mark the corrupted files. While you can easily delete this extension, you do not need to waste your time with that. Unfortunately, if you change the name, your files will remain unreadable, and they are unreadable because the data inside was encrypted. Once a file is encrypted, a special decryptor is needed, and, unfortunately, it does not look like you can just download one. A free decryptor called “STOP Decrypter” appears to exist, but, at the time of research, it was not yet capable of deciphering the encryptor of Grod. Perhaps it is capable of that by the time you are reading this, and if you are ready to use it, make sure you do not install a fake lookalike by accident. After all, the last thing you need is to have to worry about the removal of Grod Ransomware AND other threats. One file-encryptor is enough.

Our malware experts have analyzed Grod Ransomware in the internal lab, and it is believed that it can spread via spam emails and using unsafe RDP paths. That is how Mbed Ransomware, Nakw Ransomware, Toec Ransomware, Nols Ransomware, and other infections from the STOP Ransomware (also known as Kryptik.AK) family are known to spread also. Some of these threats are also known to disable the Task Manager, which can ensure that the victim cannot terminate malicious processes and delete malicious files before encryption is initiated. After execution, Grod Ransomware should also open a pop-up window indicating that Windows is configuring updates. Even if you close this pop-up, your files will be encrypted soon enough. The threat drops quite a few files to facilitate its functions, but the most important one is “_readme.txt,” a ransom note file that should be dropped next to the encrypted files. Obviously, we recommend removing every single copy of this ransom note file.

The ransom note is a quick message from the attackers behind Grod Ransomware. They make it clear that files were encrypted, and then they suggest paying a ransom in return for a decryption key. The price of the tool is revealed ($490 if paid in three days), but the payment method is not fully clear, and that is what is meant to make you email restorefiles@firemail.cc or gorentos@bitmessage.ch. If you do this, the attackers will keep terrorizing you until you pay the ransom. Even then, they might try to expose you to new malware launchers and virtual scams. Needless to say, we do not recommend contacting the cybercriminals behind Grod Ransomware. Paying the ransom is not recommended either. First of all, you might be able to use a free decryptor. Second, you might have backups (stored online or using external drives) that could replace the encrypted files. Most important, if you pay the ransom, you are unlikely to get anything useful in return. Cybercriminals want your money, and they are likely to feed you lies and fake promises just to get you to pay the ransom.

Can you see the manual Grod Ransomware removal guide below? Does it intimidate you? In reality, only the first step is complicated because we do not know where the launcher is or what its name might be. If you can get past this hurdle, eliminating the remaining components should be easy. Of course, if you cannot find the launcher and if the steps included in the guide are not clear, you have another option, and that is to install anti-malware software. Once you install it, you will have Grod Ransomware deleted automatically, and your system’s protection will be restored as well. Full-time protection is extremely important if you want to live your life malware-free. It is also important to backup files, just in case malware slithers in and corrupts the original copies. Finally, it is important that you take into account how you act when you turn on your computer. If you download, open, click, and browse carelessly, you are likely to face new threats even if you employ security software.

Grod Ransomware Removal

1. Delete the launcher file. Should run from where it was dropped, but the location is unknown.
2. Delete the ransom note file named _readme.txt.
3. Tap Win+E keys to launch Windows Explorer.
4. Type %WINDIR%\System32\Tasks\ into the field at the top and tap Enter.
5. Delete the task called Time Trigger Task.
6. Enter %LOCALAPPDATA% (or %USERPROFILE%\Local Settings\Application Data\) at the top.
7. Delete the file named script.ps1.
8. Delete the [unknown name] folder that contains a malicious [unknown name].exe file.
9. Delete the second [unknown name] folder that contains updatewin.exe and updatewin2.exe files.
10. Tap Win+R keys to launch Run.
11. Enter regedit into the dialog box and click OK to launch Registry Editor.
12. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
13. Delete the SysHelper value if its data points to the %LOCALAPPDATA%\[random]\[random].exe file.
14. Empty Recycle Bin and then quickly install a legitimate malware scanner.
15. Run a full system scan and delete the leftovers that might be detected.