.Grovas file extension ransomware (Decrypt, restore .grovas files)

Today, IT security experts has received reports of yet another ransomware called Grovas ransomware. The ransomware virus spreads via spam emails and malware files and appends the .grovas file extension to encrypted files.

Files encrypted by Grovas ransomware

Grovas ransomware is a new version of Merosa@india.com ransomware. The malware uses a strong encryption algorithm. Once started, the virus will encrypt almost all types of files, including common as:

.xf, .jpe, .wb2, .dbf, .sum, .odp, .crt, .itm, .hplg, .wcf, .xpm, .2bp, .mdbackup, .wav, .sb, .rgss3a, .pdd, .vcf, .sidn, .raf, .rwl, .m4a, .mef, .y, .w3x, .wma, .slm, .zip, .wp5, .3fr, .bkf, .xlsm, .iwd, .zdc, .wmv, .cfr, .dmp, .yal, .mdf, .0, .wmd, .x3d, .xlsb, .pptx, .dcr, .cer, .srf, .pptm, .ybk, .wri, .nrw, .wdb, .dazip, .z3d, .sav, .forge, .xls, .xld, .flv, .sql, .litemod, .qic, .jpeg, .wpd, .xlk, .wn, .dwg, .menu, .xmind, .3dm, .accdb, .eps, .wpl, .sid, .jpg, .doc, .dxg, .xdb, .arch00, .xbdoc, .wsh, .wpt, .ysp, .map, .erf, .wp4, .rtf, .pdf, .hkdb, .wpa, .odt, .orf, .das, .iwi, .xmmap, .wm, .d3dbsp, .psk, .wmf, .x, .ltx, .lvl, .wbc, .xls, .zip, .m3u, .asset, .wpw, .sis, .wsc, .qdf, .lbf, .xxx, .wbmp, .wbm, .wmo, .crw, .vdf, .zabw, .re4, .xll, .odm, .pfx, .pef, .rb, .kf, .bar, .t12, .der, .lrf, .txt, .avi, .wot, .vpk, .wbd, .xyw, .vfs0, .gho, .wp6, .webdoc, .ppt, .rofl, .cas, .docm, .gdb, .rw2, .mcmeta, .1, .kdb, .ff, .wbz, .wmv, .mov, .x3f, .pkpass, .ods, .r3d, .pak, .csv, .wpe, .itl, .wp7, .tax, .wotreplay, .ncf, .x3f, .mrwref, .kdc, .t13, .xlgc, .pem, .big, .svg, .fos, .dba, .hkx, .wdp, .rim, .z, .mlx, .wsd, .xdl, .wps, .srw, .cr2, .esm, .dng, .js, .xlsm, .upk, .icxs, .rar

Once the encryption procedure is complete, it will create a ransom note named “_open_.txt” offering decrypt all users documents, photos and music if a payment is made. An example of the ransom note is:

“.Grovas ransomware” – ransom note

Follow our guide below to find and remove .Grovas ransomware virus from your computer as well as recover (decrypt) encrypted files for free.

Quick links:

1. How to remove .Grovas ransomware virus
2. How to decrypt .grovas files
3. Use STOPDecrypter to decrypt .grovas files
4. How to restore .grovas files
5. How to protect your computer from .Grovas ransomware?
6. Finish words

How to remove .Grovas ransomware virus

Manual removal does not always help to completely remove the .Grovas ransomware, as it is not easy to identify and remove components of ransomware virus and all malicious files from hard disk. Therefore, it’s recommended that you run malicious software removal utility to completely remove .Grovas ransomware virus off your personal computer. Several free malware removal tools are currently available that can be used against the ransomware. The optimum method would be to run Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.

Remove .Grovas ransomware virus with Zemana Anti-malware

We recommend using the Zemana Anti-malware. You can download and install Zemana Anti-malware to search for and delete .Grovas ransomware virus from your PC. When installed and updated, the malware remover will automatically scan and detect all threats exist on the computer.

1. Zemana can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
   
   

   Zemana AntiMalware
   164976 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. At the download page, click on the Download button. Your internet browser will display the “Save as” dialog box. Please save it onto your Windows desktop.
3. Once downloading is complete, please close all applications and open windows on your computer. Next, run a file called Zemana.AntiMalware.Setup.
4. This will launch the “Setup wizard” of Zemana onto your PC. Follow the prompts and don’t make any changes to default settings.
5. When the Setup wizard has finished installing, the Zemana Anti-Malware (ZAM) will open and display the main window.
6. Further, click the “Scan” button . Zemana tool will start scanning the whole computer to find out the .Grovas ransomware virus related files, folders and registry keys. This task may take quite a while, so please be patient. During the scan Zemana will detect threats present on your machine.
7. After that process is finished, you can check all threats found on your computer.
8. You may remove items (move to Quarantine) by simply click the “Next” button. The tool will start to remove .Grovas ransomware virus and other malware. When finished, you may be prompted to reboot the computer.
9. Close the Zemana Anti-Malware (ZAM) and continue with the next step.

Remove Grovas ransomware with MalwareBytes Free

Remove Grovas ransomware virus manually is difficult and often the ransomware is not fully removed. Therefore, we recommend you to use the MalwareBytes Free that are completely clean your system. Moreover, this free program will allow you to remove malicious software, trojans, worms and adware that your personal computer can be infected too.

1. Installing the MalwareBytes is simple. First you’ll need to download MalwareBytes on your system by clicking on the link below.
   
   

   Malwarebytes Anti-malware
   327218 downloads
   Author: Malwarebytes
   Category: Security tools
   Update: April 15, 2020
   
2. At the download page, click on the Download button. Your browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
3. Once downloading is complete, please close all programs and open windows on your personal computer. Double-click on the icon that’s called mb3-setup.
4. This will start the “Setup wizard” of MalwareBytes Free onto your computer. Follow the prompts and do not make any changes to default settings.
5. When the Setup wizard has finished installing, the MalwareBytes will run and show the main window.
6. Further, click the “Scan Now” button . MalwareBytes Free tool will begin scanning the whole computer to detect the Grovas ransomware. This task can take quite a while, so please be patient. While the MalwareBytes tool is scanning, you can see how many objects it has identified as being infected by malware.
7. When the scan get completed, MalwareBytes Anti Malware (MBAM) will display a list of detected items.
8. You may remove items (move to Quarantine) by simply press the “Quarantine Selected” button. Once the process is finished, you may be prompted to restart the machine.
9. Close the Anti Malware and continue with the next step.

Video instruction, which reveals in detail the steps above.

Use KVRT to remove .Grovas ransomware

KVRT is a free portable program that scans your personal computer for malware and ransomwares like the .Grovas ransomware and helps delete them easily. It will perform a deep scan of your computer including hard drives and Windows registry. After malicious software is found, it will help you to remove all found threats from your computer by a simple click.

Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it on your Desktop.

Kaspersky virus removal tool
129277 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018

Once the downloading process is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the KVRT screen like below.

Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button for scanning your machine for the .Grovas ransomware virus and other malware. This process may take quite a while, so please be patient.

Once the scan is finished, you will be displayed the list of all detected items on your PC system as displayed below.

You may remove items (move to Quarantine) by simply press on Continue to begin a cleaning process.

How to decrypt .grovas files

The .Grovas ransomware virus offers victim to contact it’s developers in order to decrypt all personal files. These persons will require to pay a ransom (usually demand for $490-980 in Bitcoins).

There is absolutely no guarantee that after pay a ransom to the makers of the .Grovas ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.

Files encrypted by Grovas ransomware

With some variants of Grovas ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.

Use STOPDecrypter to decrypt .grovas files

Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).

STOPDecrypter by Demonslay335

STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.grovas).

Please check the twitter post for more info.

How to restore .grovas files

In some cases, you can recover files encrypted by .Grovas ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.

Use shadow copies to restore .grovas files

A free tool called ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can recover .grovas personal files encrypted by the .Grovas ransomware virus from Shadow Copies for free.

Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your system by clicking on the link below.

ShadowExplorer
439618 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019

After downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.

Double click ShadowExplorerPortable to start it. You will see the a window as displayed on the image below.

In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as shown on the image below (1 – drive, 2 – restore point).

On right panel look for a file that you want to recover, right click to it and select Export as shown in the following example.

Recover .grovas files with PhotoRec

Before a file is encrypted, the .Grovas ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore applications such as PhotoRec.

Download PhotoRec from the following link.

PhotoRec
221285 downloads
Author: CGSecurity
Category: Security tools
Update: March 1, 2018

Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.

Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen like below.

Choose a drive to recover as on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted files as displayed in the figure below.

Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.

Next, click Browse button to choose where restored files should be written, then click Search.

Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.

When the restore is complete, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents like below.

All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.

How to protect your computer from .Grovas ransomware?

Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.

Run HitmanPro.Alert to protect your computer from .Grovas ransomware

All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from MS Windows XP to Windows 10.

Download HitmanPro.Alert on your MS Windows Desktop by clicking on the link below.

HitmanPro.Alert
6875 downloads
Author: Sophos
Category: Security tools
Update: March 6, 2019

When the downloading process is finished, open the folder in which you saved it. You will see an icon like below.

Double click the HitmanPro Alert desktop icon. When the utility is launched, you’ll be displayed a window where you can select a level of protection, as on the image below.

Now press the Install button to activate the protection.

Finish words

After completing the instructions outlined above, your PC should be free from .Grovas ransomware virus and other malware. Your personal computer will no longer encrypt your photos, documents and music. Unfortunately, if the tutorial does not help you, then you have caught a new virus, and then the best way – ask for help here.