Grod Ransomware Removal Guide

If you are introduced to a pop-up notification stating that Windows is “Installing important updates,” it is possible that Grod Ransomware has slithered into your operating system. This pop-up is just a distraction, and the threat is encrypting your personal files. Unfortunately, you cannot open the Task Manager and check what processes are running because the threat can disable this utility. If you cannot stop processes and remove malicious files, you cannot stop the encryption of your personal files. Of course, at this point, you might not know what is happening at all. The data of your files is changed silently, and once that is done, the “.grod” extension is appended to the names. This might be the first sign that malware got in and corrupted your documents, photos, and other vulnerable files. At this point, you cannot restore files by deleting Grod Ransomware, but, of course, this threat must be eliminated.

You are most likely to discover Grod Ransomware after it creates a file named “_readme.txt.” Copies of this file should be placed in every folder that contains encrypted files, and so if the threat encrypts personal files on the Desktop, you should find the text file on the Desktop too. We have seen this file many times before when we analyzed Mbed Ransomware, Nakw Ransomware, Toec Ransomware, and other infections. All of them belong to the STOP Ransomware family, and all of them appear to be clones of one another. It is even possible that the same attackers built them all. The text file represents a message that suggests emailing restorefiles@firemail.cc and gorentos@bitmessage.ch. While the first email address is unique, the second one can be linked to most STOP Ransomware infections. Obviously, you should NOT send a message to either of these addresses, unless you want the attackers to send you ransom payment instructions as well as flood you with new scams in the future.

Grod Ransomware was created to help cybercriminals make $490 per victim. This is how much a decryption tool offered by the attackers costs. To some victims, this sum might seem meaningless. To others, it will be more than they can pay. In either case, paying the ransom is the wrong move because cybercriminals have no obligation to provide you with a decryptor even if you pay the full price of $980. Luckily, you might not have to put your money at risk because a free STOP Decryptor might be able to help you. While it could not decrypt Grod Ransomware when we analyzed the infection, the tool might be able to work in the future. Alternatively – and this is the best solution – you have copies of your files stored online, on a different device, or on an external drive. These are called backups, and they can stand in as replacements for the corrupted files. Hopefully, you have backups, and if you do not, make sure you start creating them for your personal files in the future. They can save you in a tough situation like this one.

While you can backup your files and hope that new infections will not attack and affect them again, you should also think about Windows protection. If you keep your operating system guarded, you will not need to face ransomware, Trojans, adware, and other kinds of malware in the future. The right anti-malware software can correct the risky moves you make seamlessly. For example, if you are tricked into downloading a malicious file, this software should inspect and delete it before it is launched. Of course, right now, it is most important that this software would automatically remove Grod Ransomware. You can try to remove this threat manually, but we cannot guarantee success. There are lots of components used by this ransomware, and the main one – which is the launcher .exe file – does not have a specific location or name. If you have questions about Grod Ransomware, its removal, or Windows security, do not hesitate to leave a comment below.

How to delete Grod Ransomware

1. If you know the {unknown name}.exe file that executed the threat, Delete it immediately.
2. Delete every single copy of the file named _readme.txt.
3. Tap Win+E keys on the keyboard at the same time to access Windows Explorer.
4. Enter %LOCALAPPDATA% into the quick access field at the top to access this directory.
5. Deletethese components:
   • script.ps1
   • {unknown name} folder that holds {unknown name}.exe file
   • {unknown name} folder (a different one) that holds updatewin.exe and updatewin2.exe files
6. Enter %WINDIR%\System32\Tasks\ into the quick access field at the top to access this folder.
7. Delete the task named Time Trigger Task.
8. Tap Win+R keys on the keyboard at the same time to access Run.
9. Type regedit into the dialog box and click OK to access Registry Editor.
10. On the left, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
11. Delete the value named SysHelper that represents the malicious {unknown name}.exe file.
12. Exit all windows and then Empty Recycle Bin.
13. Employ a trusted malware scanner to scan your operating system for leftovers.

N.B. On Windows XP, instead of accessing %LOCALAPPDATA%, access %USERPROFILE%\Local Settings\Application Data\.