What is .Grod file
.Grod file extension is a file extension that is associated with the newest version of widespread ransomware called STOP (Djvu). Researchers discovered ‘Grod’ variant just a couple of days after discovering the previous one, which is called Peet. Like all previous versions of STOP ransomware, Grod encrypts files and makes them unreadable. Ransomware authors demand ransom from their victims for restoring access to encrypted data. Fortunately, a group of security professionals has created a free decryptor that helps Grod’s victims to decrypt encrypted files. You can find all information about this decryptor below, just scroll this article down.
What is Grod virus
Grod is really a nasty program. It infects a computer when a victim downloads or runs malware infected files. Criminals lure unwary users into downloading ransomware by hiding malicious code within freeware, cracked versions of paid software, key generators, and so on. Upon execution, an instance of ransomware is installed on victim’s computer.
Once installed on a computer, Grod encrypts victim’s files using a strong encryption algorithm and a long key. If, before encrypting the files, the virus was able to establish a connection with its command-and-control (C&C) server, then it uses so called ‘online key’ that is unique to each victim. There is another variant, when the virus could not establish a connection to its C&C server. In this case, Grod uses so-called ‘offline key’. This key is the same for everyone and can be determined by security researchers (it has already been found for many previous versions of STOP ransomware).
Grod tries to encrypt as many files as possible, therefore it encrypts files quickly. Even files located on external drives and cloud storage are not safe. If at the time of file encryption these disks are connected to the computer, then all data on them will also be encrypted. Of course, it does not encrypt Windows system files, as this will cause the computer to stop working. In addition to files located in system directories, Grod virus does not encrypt files with the extension ‘.bat, .sys, .dll, .lnk, .ini’ and the filename ‘_readme.txt’. All other files on the victim’s computer will be encrypted. So files of the following types can be encrypted:
.vtf, .sum, .3fr, .bik, .epk, .z3d, .ptx, .py, .docm, .bsa, .rw2, .wn, .xy3, .xmmap, .3ds, .mdf, .ai, .m3u, .apk, .xdl, .wot, .srf, .wpt, .wbd, .wb2, .xlsx, .gdb, .pst, .dba, .2bp, .sidd, .wp5, .der, .wotreplay, .jpg, .forge, .ncf, .srw, .psk, .cr2, .crt, .cer, .xx, .sis, .mpqge, .pfx, .bkf, .blob, .itm, .x3d, .t13, .x3f, .wp4, .odp, .pdf, .sid, .raf, .wbc, .xwp, .docx, .vcf, .flv, .wps, .mcmeta, .dbf, .dwg, .1st, .txt, .xlk, .vpk, .hkdb, .mp4, .r3d, .ws, .syncdb, .fpk, .wbm, .eps, .p7c, .1, .dxg, .lrf, .mef, .d3dbsp, .sql, .hplg, .wsc, .xlsm, .zip, .xyp, .wav, .xpm, .menu, .wmf, .mddata, .db0, .itl, .lvl, .zabw, .wpa, .bar, .x, .sidn, .mlx, .js, .xld, .tor, .webdoc, .ztmp, .xar, .p7b, .zdb, .cas, .big, .kf, .arw, .xmind, .pkpass, .gho, .desc, .xbdoc, .rb, .wpd, .mrwref, .psd, .yal, .xf, .qic, .t12, .css, .fos, .svg, .mov, .re4, .erf, .ysp, .pak, .wpb, .orf, .crw, .z, .webp, .mdb, .wpw, .wsd, .wm, .das, .wp6, .iwi, .xdb, .ybk, .kdb, .7z, .ods, .zi, .pem, .sb, .hvpl, .map, .dmp, .doc, .wmd, .wma, .ff, .wsh, .zdc, .wpe, .raw, .odc, .png, .rtf, .mdbackup, .zif, .iwd, .sav, .dng, .xls, .pptm, .indd, .wma, .bc6, .jpeg, .snx, .bc7, .ltx, .wmv, .bay, .zw, .xbplate, .odb, .wbk, .wps, .wbmp, .xls, .wp7, .wire, .dcr, .xxx, .vdf, .3dm, .wri, .odt, .fsh, .odm, .pptx, .xlsx, .wp, .zip, .asset, .lbf, .wpd, .rgss3a, .0, .avi, .rofl, .bkp, .accdb, .m2, .dazip, .itdb, .xlsm, .wdp, .wpg, .pef, .rim, .ibank, .wmv, .sr2, .slm, .wpl
The filename of each encrypted file will be changed, the virus will append ‘.grod’ at the end of its filename. This means the following, if the file was called ‘document.doc’, then after encryption it will be renamed to ‘document.doc.grod’. In each folder where the virus encrypted one or more files, it drops a file with the name ‘_readme.txt’.
This file contains a message from Grod authors, in which they report that the files on the victim’s computer were encrypted and the only possible way to decrypt them is to buy a key and a decryptor. Criminals demand $490 from the victim, if the victim does not pay the ransom within 72 hours, then the size of the ransom doubles to $980. Attackers offer the victim to decrypt one small file for free to confirm the possibility of decrypting .grod files. Obviously, if the criminals were able to decrypt one file, then this does not guarantee that after receiving the ransom they will give the victim the key and the decryptor.
Threat Summary
Name | Grod |
Type | Ransomware, File locker, Filecoder, Crypto malware, Crypto virus |
Encrypted files extension | .grod |
Ransom note | _readme.txt |
Contact | restoredatahelp@firemail.cc, gorentos@bitmessage.ch |
Ransom amount | $490/$980 |
Detection Names | TrojanRansom/Crypted, UDS:Dangerous.Object.Multi.Generic, TrojanWin32.Kryptik, File.Rep.Malware, TR.CryptAgent, MalwareWin32-Ransom, TrojanEncoder |
Symptoms | Files encrypted with .grod extension. Windows Explorer displays a blank icon for the file type. Files named such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. New files on your desktop, with name variants of: ‘_readme’ or ‘_readme.txt’. |
Distribution ways | Spam mails. Torrents. Exploit kits. Cracks. Social media posts. Activators. |
Removal | Grod virus removal guide |
Decryption | Free Grod Decryptor |
Criminals scare every victim saying that the files cannot be decrypted without a key and decryptor. Unfortunately this is true, the contents of the files cannot be unlocked otherwise. In any case, a key and a decryptor are needed.
But there is good news, Emsisoft created a free decryptor that allows everyone to decrypt files that were encrypted with any version of STOP (Djvu) ransomware. Since Grod is one of the variants of this ransomware, this decryptor is also suitable for decrypting .grod files. Unfortunately, so far you can decrypt files only in those cases when they were encrypted with an offline key.
How to remove Grod and Decrypt .grod files
If you find that your computer is infected with Grod virus and your files are encrypted, then you need to perform certain actions that will allow you to remove the ransomware and decrypt the affected files. Below we provide instruction that are divided into several steps that need to be completed one by one. It is important that before decrypting or recovering files, you must be sure that Grod is completely removed. In order not to miss anything, we recommend that you open this instruction on your smartphone or print it.
Remove Grod ransomware virus
The first thing you should do before decrypting or recovering files is to scan your computer for malware. This step cannot be skipped, because if Grod virus is not completely removed from the computer, it will continue its malicious actions. In order to find all malware components and remove them from the computer, we recommend using free malware removal tools. The best option is to first update your antivirus and perform a full scan, then use the free malware removal tools listed below to check your computer and remove the found malware. It is advisable to use not one malware removal tool, but two or more, so you will significantly increase the chance of malware detection.
Remove Grod with Zemana Anti Malware (ZAM)
To find and remove all Grod components, we advise you to use a program called Zemana Anti Malware. It can locate all kinds of malware, including ransomware, as well as a variety of Trojans, spyware, worms and rootkits. After the detection of Grod ransomware virus, you can easily and quickly remove it for free.
- Download Zemana Anti-Malware from the following link.
Zemana AntiMalware
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Close all windows. Double-click on the downloaded file.
- You will be shown the Setup wizard window. Just follow the prompts and do not change anything in the default settings.
- Once installation is complete, click the “Scan” button to check your computer for Grod virus.
- When the scan is completed, you will be shown a list of found ransomware components.
- Review the scan results and then click “Next” button.
Use MalwareBytes to remove Grod ransomware
MalwareBytes is another malware removal tool that can help you find and remove Grod virus for free. It is an advanced malware removal tool that is created by (c) Malwarebytes lab. MalwareBytes uses the world’s most popular anti-malware technology. It can remove ransomware, PUPs, spyware, adware, worms, trojans, and other security threats from your machine for free.
- Download MalwareBytes from the following link.
Malwarebytes Anti-malware
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- Run it and follow the prompts.
- Once installed, MalwareBytes will try to update itself.
- Once the update is complete click, click the “Scan Now” button for checking your PC for the Grod virus and other malware.
- After scanning is completed, click Quarantine Selected to remove the found malware.
To learn more about this malware removal utility, we recommend that you read the following guide: How to use MalwareBytes Anti-malware.
Remove Grod virus from PC with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is a free malware removal utility. It can be used to search for and remove ransomware, adware, potentially unwanted applications, worms, spyware, trojans, rootkits and other secruity threats. You can run this tool to scan for threats even if you have an antivirus or any other security program.
- Download Kaspersky virus removal tool from the link below.
Kaspersky virus removal tool
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
- Once downloading is done, double-click on the KVRT icon.
- Click Start scan button to search for Grod virus and other security threats.
- As soon as the scan is completed, you will be shown its result.
- Review the scan results and then press on Continue.
You can read more about Kaspersky virus removal tool by reading the following article: How to use Kaspersky virus removal tool.
How to decrypt .grod files
Files with the extension .grod are encrypted files. The only way to decrypt them is to have a pair – the key and the decryptor. Criminals demand a ransom for the key and decryptor. But there is absolutely no guarantee that upon receiving a ransom, the attackers will allow the victim to unlock the encrypted files. Therefore, security experts do not recommend paying a ransom. Moreover, payment of ransom pushes criminals to create new variants of rasomware.
Fortunately, a group of security experts who investigated STOP (Djvu) ransomware created a free decryptor. And since Grod virus is part of STOP (Djvu) family, this decryptor can be used to decrypt .grod files.
To decrypt .grod files, use the following steps:
- Go to the following link to download STOP Djvu decryptor.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
So far, this decryptor can only decrypt files encrypted with an offline key. If files are encrypted with an online key, then they cannot be decrypted. The reason for this is that the so-called ‘online keys’ are in the hands of criminals.
How to find out which key was used to encrypt files
Based on the foregoing, it is obvious that every Grod victim needs to know which key was used to encrypt the files. This determines whether files can be decrypted using a free decryptor. Below we give two ways that will help everyone easily determine the type of key that was used by Grod virus.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0183’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The personal ID that you found is not the key itself, it is an identifier that allows you to determine which key was used to encrypt the files. If the Personal ID ends with ‘t1’, then your files are encrypted with an offline key. If your Personal ID does not end with ‘t1’, then Grod used an online key.
What to do if the decryptor does not help decrypt files
If the decryptor skips files saying that it is impossible to decrypt them, then two options are possible:
- files are encrypted with an online key, in this case you need to use alternative methods for recovering encrypted data;
- files are encrypted with an offline key, but the key itself has not yet been found by security researchers, in this case you need to be patient and wait a while, in addition, you can also use alternative ways to restore the contents of encrypted files;
How to restore .grod files
Fortunately, there are several simple ways that give everyone a chance to recover the contents of encrypted files. The methods presented below can help in cases when a free decryptor cannot decrypt .grod files or when files are encrypted with an online key. We want to remind everyone, if you have not completed step 1, then return to it. Before you start recovering encrypted files, you should check your computer for malware, find and remove all Grod components.
Use shadow copies to restore .grod files
An alternative to decrypting files is to recover encrypted files from their Shadow copies. Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were encrypted by Grod virus. The guide below will give you all the details.
Please go to the link below to download ShadowExplorer. Save it on your Windows desktop.
438819 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Double click ShadowExplorerPortable to launch it. You will see the a window as shown in the following example.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as shown on the screen below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed on the image below.
Recover .grod files with PhotoRec
Another alternative method is to use data recovery programs. We suggest you pay attention to the program called PhotoRec. This program has all the necessary features for searching and restoring files and it is free.
Download PhotoRec from the following link. Save it on your Desktop.
After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as displayed on the screen below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed on the screen below.
Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, press Browse button to choose where restored files should be written, then press Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
To sum up
This article was created to help all victims of Grod virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .grod files; how to recover files, if the decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this article has helped you. If you have questions, then write to us, leaving a comment below. If you need more help with Grod related issues, go to here.
thanks for sharing the help…i just lost a 4TB HDD files to GROD now….all my files that i have saved up for years is gone….my entire life work,…these are files that that has supported my work as a graphic designer for 15 years…. it didnt get into my pc but i couldn’t figure out how it got into my external drive that serve as my back up for all my works….I have been scrounging all the forums for solutions yet none…i have tried using the emisoft decryptor tool you talked about….all the results came out “unable to decrypt”….so what the hell on earth should i do now?…i am finished!!!
the explanation you gave for the shadow explorer and photo rec isn’t clear enough….thats why i couldn’t risk it…i don’t want to engage on what i do not understand…the files that i have to export , is it the ones with the .grod extensions or which one?
when you offer tutorials in a sensitive situation such as this, please do not complicate things for people by making unclear or undetailed posts…because this seems the only hope left for me now….so you gotta go back there and tell us which of the files to export, (whether its the encrypted files or the ones not encrypted).
if everything fails, i think i will get in touch with these assholes inorder to recover my files…even if it involves paying money….
If your files are encrypted with an offline key, then they can be decrypted, you just need to wait until the security researchers find the offline key.
my system got effected yesterday ,malware removed but decrptor gives same message -unable to decrpt please help
I’m so much worried about my data. As my data is infected by GROD. I’m unable to decrypt it. I’m a 3D designer and i’ve lost all of my data. Is there any chance of getting my data back?
My personal Id is (nhSjeyawrqps8RDYoO4Grh4GClTroWfg3fXyhTAw)
Kindly let me know the solution please. I’ll be thankful to you all!
I’m in the same situation as mcjona ghiandhosky…please need help to recover my files.
Unfortunately, files that were encrypted with an online key cannot yet be decrypted. The keys necessary for decryption are in the hands of criminals – the creators of the virus. Perhaps in the future, when it is unknown, these keys will be obtained in some way, only then will it be possible to decrypt files encrypted with any type of key.
The first thing to do is determine which key was used to encrypt the files. We have given two methods above; there are no other methods! Since the virus can use several keys on one computer, we recommend using the second method. File ‘PersonalID.txt’ lists all IDs that match the keys that GROD virus used for encryption. This means that if the virus used two keys, then the file will have two IDs.
If the decryptor reports ‘Unable to decrypt file with ID’, then this does not mean that the files cannot be decrypted. It is possible that the offline key has not yet been found. Therefore, if you are sure that your ID matches the offline key, then you just need to wait a while.