.Gerosan file virus ransomware (Restore, Decrypt .gerosan extension files)

Gerosan file virus is a new ransomware. Like other ransomware, it is basically a malicious program which gets on your PC and runs. It locks up your photos, documents and music and changes their extensions to .gerosan file extension. This article will provide you with all the things you need to know about ransomware virus, how to remove Gerosan ransomware virus from your machine and how to restore (decrypt) encrypted documents, photos and music for free.

Gerosan ransomware encrypts personal files until a ransom is paid to the cyber criminal. Once started, it will scan the computer for certain file types and encrypt them. It will encrypt almost of files, including:

.epk, .qic, .wpl, .3ds, .menu, .ptx, .x, .pptx, .dbf, .nrw, .bc7, .vpk, .wps, .xml, .sidd, .wav, .py, .wot, .ntl, .fpk, .ncf, .xf, .wpa, .wmv, .wbmp, .wdp, .zabw, .rb, .ltx, .raf, .wire, .mcmeta, .wmo, .flv, .zi, .m3u, .xmmap, .xdl, .slm, .webdoc, .xpm, .itdb, .cr2, .wb2, .apk, .pfx, .wpg, .upk, .csv, .mddata, .vdf, .wotreplay, .wsh, .m2, .vpp_pc, .ppt, .wbk, .cer, .mpqge, .zdb, .r3d, .orf, .zip, .map, .kdc, .z3d, .jpg, .rofl, .snx, .asset, .vcf, .wpb, .gho, .yml, .sb, .wma, .cfr, .crt, .docx, .lbf, .odb, .zif, .z, .p7b, .xlsm, .itl, .xls, .wp, .xlk, .wmv, .lrf, .xyw, .dmp, .js, .wsd, .wbm, .ws, .forge, .cdr, .sidn, .fsh, .tax, .xll, .rw2, .sie, .sr2, .rim, .blob, .big, .wm, .esm, .wri, .layout, .xlsx, .xbplate, .pkpass, .mrwref, .avi, .srw, .p12, .fos, .1st, .wpd, .odm, .kdb, .ysp, .mdbackup, .sis, .doc, .xlsb, .bkf, .mef, .bsa, .hkdb, .iwi, .ods, .der, .dba, .pst, .xdb, .2bp, wallet, .wsc, .litemod, .ai, .xbdoc, .txt, .ztmp, .odp, .wp4, .erf, .wma, .srf, .itm, .wmd, .wpe, .hplg, .arch00, .ibank, .vfs0, .bc6, .dcr, .bkp, .crw, .pak, .xlsm, .zip, .wpt, .w3x, .wp7, .hvpl, .sql, .gdb, .yal, .wbd, .wmf, .tor, .p7c, .x3f, .cas, .xar, .3dm, .re4, .xls, .docm, .x3f, .3fr, .bay, .rar, .accdb, .dwg, .0, .bar, .wpd, .d3dbsp, .kf, .indd, .xx, .pef, .xwp, .syncdb, .iwd, .xld, .psk, .bik, .t13, .y, .odt, .pdf, .svg, .jpe, .db0, .odc, .xlgc, .arw, .dng, .icxs, .pem, .m4a, .webp, .wp5, .hkx, .psd, .mlx, .x3d, .wbz, .rwl, .sav, .xy3, .desc, .wbc, .wdb

Once a file is encrypted, its extension changed to .gerosan. Next, the crypto virus creates a file called ‘_readme.txt’. This file contain a note on how to decrypt all encrypted photos, documents and music. You can see an one of the variants of the ransomnote below:

ATTENTION!
 
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-hvv30uAtTY
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

 

Threat Summary

Name	Gerosan
Type	Crypto malware, Crypto virus, Filecoder, Ransomware, File locker
Encrypted files extension	.gerosan
Ransom note	_readme.txt
Contact	gorentos@bitmessage.ch, gorentos@firemail.cc, @datarestore
Ransom amount	$980, $490 in Bitcoins
Symptoms	Unable to open files. Your documents, photos and music have a wrong name, suffix or extension, or don’t look right when you open them. Files named like ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file.. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’.
Distribution methods	Malicious e-mail spam. Malicious downloads that happen without a user’s knowledge when they visit a compromised web-site. Social media, such as web-based instant messaging programs. Remote desktop protocol (RDP) hacking.
Removal	To remove Gerosan ransomware use the removal guide
Decryption	To decrypt Gerosan ransomware use the steps

 

Therefore it is very important to follow the instructions below without a wait. The tutorial will assist you to delete Gerosan virus. What is more, the tutorial below will help you restore (decrypt) encrypted personal files for free.

Quick links

1. How to remove Gerosan file virus
2. How to decrypt .gerosan files
3. Use STOPDecrypter to decrypt .gerosan files
4. How to restore .gerosan files
5. How to protect your computer from Gerosan ransomware virus?
6. Finish words

How to remove Gerosan file virus

There are not many good free antimalware programs with high detection ratio. The effectiveness of malware removal tools depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We advise to run several programs, not just one. These programs that listed below will help you remove all components of the Gerosan file virus from your disk and Windows registry.

Remove Gerosan file virus with Zemana Anti-malware

We recommend using the Zemana Anti-malware that are completely clean your computer of the crypto malware. The tool is an advanced malicious software removal application developed by (c) Zemana lab. It is able to help you remove trojans, ransomware, adware, malware, worms, spyware and other security threats from your computer for free.

Zemana can be downloaded from the following link. Save it to your Desktop.

When the downloading process is finished, close all windows on your machine. Further, start the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed in the following example, press the “Yes” button.

It will open the “Setup wizard” that will allow you install Zemana Free on the computer. Follow the prompts and do not make any changes to default settings.

Once installation is finished successfully, Zemana will automatically start and you can see its main window like below.

Next, click the “Scan” button to perform a system scan for Gerosan file virus, other kinds of potential threats such as malicious software and trojans. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your computer. While the utility is scanning, you can see how many objects and files has already scanned.

After the checking is done, you will be displayed the list of all detected items on your personal computer. Once you’ve selected what you want to remove from your PC press “Next” button.

The Zemana AntiMalware will remove Gerosan file virus, other malicious software, worms and trojans. When the process is finished, you may be prompted to reboot your machine.

How to remove Gerosan ransomware virus with MalwareBytes AntiMalware

If you’re having problems with the Gerosan removal, then download MalwareBytes Free. It is free for home use, and detects and removes various undesired software that attacks your computer or degrades personal computer performance. MalwareBytes Free can remove adware, worms, spyware as well as malicious software, including ransomware and trojans.

1. Visit the following page to download MalwareBytes Free. Save it to your Desktop so that you can access the file easily.
   
   

   Malwarebytes Anti-malware
   317744 downloads
   Author: Malwarebytes
   Category: Security tools
   Update: April 15, 2020
   
2. When downloading is finished, close all applications and windows on your computer. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
3. Further, click Next button and follow the prompts.
4. Once setup is complete, click the “Scan Now” button to start scanning your PC system for Gerosan ransomware virus related files, folders and registry keys. This task can take some time, so please be patient. While the MalwareBytes Free tool is checking, you can see number of objects it has identified as being infected by malware.
5. Once finished, you can check all threats found on your personal computer. You may remove threats (move to Quarantine) by simply press “Quarantine Selected”. After the task is finished, you may be prompted to reboot your personal computer.

The following video offers a step-by-step tutorial on how to get rid of hijackers, adware and other malware with MalwareBytes.

Scan your system and remove Gerosan ransomware virus with KVRT

The KVRT tool is free and easy to use. It can scan and remove ransomware virus such as Gerosan ransomware virus, other malicious software and trojans. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the PC.

Download Kaspersky virus removal tool (KVRT) on your computer by clicking on the link below.

After the downloading process is finished, double-click on the KVRT icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen like below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for Gerosan ransomware virus and other trojans and malicious software. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your system and the speed of your system. While the utility is checking, you can see how many objects and files has already scanned.

Once the scan get completed, Kaspersky virus removal tool will open a scan report as displayed in the following example.

You may delete items (move to Quarantine) by simply click on Continue to begin a cleaning procedure.

How to decrypt .gerosan files

The Gerosan ransomware virus encourages to make a payment in Bitcoins to get a key to decrypt personal files. Important to know, currently not possible to decrypt .gerosan files without the private key and decrypt application.

Should you pay the ransom? A majority of cyber threat analysts will reply immediately that you should never pay a ransom if affected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all photos, documents and music!

With some variants of the Gerosan ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.

Use STOPDecrypter to decrypt .gerosan files

Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).

STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.gerosan).

Please check the twitter post for more info.

How to restore .gerosan files

In some cases, you can restore files encrypted by Gerosan ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.

Use shadow copies to restore .gerosan files

In some cases, you have a chance to recover your documents, photos and music that were encrypted by the Gerosan ransomware. This is possible due to the use of the tool named ShadowExplorer. It is a free program which created to obtain ‘shadow copies’ of files.

Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer from the following link.

When the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.

Run the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the Gerosan crypto virus as shown in the following example.

Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button like below.

Recover .gerosan files with PhotoRec

Before a file is encrypted, the Gerosan crypto malware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore applications like PhotoRec.

Download PhotoRec on your Windows Desktop by clicking on the following link.

Once downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed below.

Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed below.

Select a drive to recover as displayed on the screen below.

You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as on the image below.

Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.

Next, press Browse button to choose where restored documents, photos and music should be written, then click Search.

Count of recovered files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.

When the recovery is complete, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown below.

All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.

How to protect your computer from Gerosan ransomware virus?

Most antivirus applications already have built-in protection system against the crypto malware. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.

Use HitmanPro.Alert to protect your PC from Gerosan ransomware

All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from Windows XP to Windows 10.

Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro Alert from the following link.

When the downloading process is done, open the file location. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. Once the utility is started, you will be shown a window where you can choose a level of protection, as displayed in the figure below.

Now click the Install button to activate the protection.

Finish words

Now your computer should be free of the Gerosan ransomware virus. Remove Kaspersky virus removal tool and MalwareBytes Anti-Malware (MBAM). We advise that you keep Zemana Anti-Malware (to periodically scan your computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.

If you are still having problems while trying to delete Gerosan ransomware from your computer, then ask for help here.