GROD ransomware attacks computer systems to turn personal files useless
Contents
GROD ransomware is a malicious computer virus that seeks to encrypt files on a target system. It belongs to the new STOP DJVU malware family, therefore it uses an updated RSA encryption algorithm. The malware is set to disable firewalls, delete system restore points and encode data, adding .grod file extensions to original filenames. Next, it inserts a ransom note called _readme.txt in every folder containing encrypted data, which instructs the victim to pay a hefty ransom to the criminals in order to access data ever again. Victims of this ransomware should be aware of password-stealing Trojan that it installs on the system, named Azorult.
GROD ransomware encrypts victim’s files to demand a sum which ranges from $490 to $980. It depends whether the victim manages to collect the specified sum of money and obtain Bitcoins to pay the criminals within 72 hours. The attackers suggest decrypting one file for free to test the GROD decryptor software that they offer. To get detailed instructions on how to pay the ransom and also test the decrypter, the ransom note suggests sending a message to one of the provided emails:
- restorefiles@firemail.cc;
- gorentos@bitmessage.ch.

If you can no longer access your files and you can see .grod extensions on them, it means that you have become a victim of a highly dangerous DJVU ransomware attack. Unfortunately, you were hit with an updated malware version which cannot be decrypted at the moment. You only have hope to restore part of the data if the virus used an offline key to corrupt your data. More on that will be provided below.
Threat Summary
Name | GROD ransomware virus |
Threat Type | Ransomware (STOP/DJVU Family) |
Ransom | $490-$980 |
Encryption Used | RSA-2048 |
Decryption | Not possible. Recover files using a backup or wait for the offline key |
Distribution | Infected malicious downloads – typically software keygens and cracks |
Additional information | Installs Azorult Trojan (password-stealing virus) |
Removal | Remove using antivirus software |
The file-encrypting virus uses either online or offline key to corrupt data
In order to better understand your chances of recovering files encrypted by GROD virus, you must know a bit about how the virus operates. Once run on the target machine, the virus attempts to establish a connection with its remote server to get online keys to encrypt data. If it fails to do so, it uses a static offline encryption key. A sign that such key was used for your machine is if your personal ID (found in the ransom note) ends with t1. An example of an online and offline keys are provided below.
Personal ID example indicating encryption using online key:
Your personal ID:
0273HfghKy12nGO5B7fewTPmpErj3m2FccWnHvCkaQ24Pefmk
Personal ID example indicating encryption using offline key:
Your personal ID:
0273HfghKy12nGO5B7fewTPmpErj3m2FccWnHvCkaQ24Peft1
As a result, if the security researchers will be able to extract this offline key in the future, you will recover some of your files. However, please note that this does not apply to those attacked with online keys. It is impossible to extract these keys in any way.
Please read more about STOP DJVU ransomware decryption options in this in-depth guide here.
However, we suggest backing up your encrypted data and wait for the best to happen – criminals might get caught one day.
Meanwhile, you must remove GROD ransomware virus using good antivirus software. Please use the instructions provided at the end of this article for guidance. Use security software of your choice or consider reading reviews provided on our site.
Distribution of STOP ransomware variants
GROD file virus, just like other STOP/DJVU ransomware variants (PEET, MOSK, TOEC, LOKF, RECO) are all distributed in one simple way. The attackers bundle the malicious executive along with software cracks, keygens and other not-so-legal downloads that help to activate paid software products for free.
Therefore, if you found all your files turned into .grod file type, it means that you have recently downloaded a compromised software activation tool. Please remember that such downloads are easy bait for victims as they’re extremely popular. By buying official software licenses, you do not risk your safety and not break any copyright laws. Besides, it is usually cheaper than paying a ransom to cybercriminals.

However, such illegal tools isn’t the only way to spread malware. You can also become a victim if you use outdated software (such as Flash Player), tend to explore suspicious emails sent to you or visit shady peer-to-peer, gambling, or adult sites. These are known to be the highest-risk when it comes to ransomware distribution.
Remove GROD ransomware virus from your PC and restore your files
Remove GROD ransomware virus from your computer to prevent its further malicious operations. We recommend scanning your computer with a trustworthy antivirus software of your choice. Running an automatic malware removal software will ensure a thorough cleanse from ransomware remains as well as Azorult Trojan.
Please follow the GROD ransomware removal guidelines provided below. These will guide you through steps required to boot your PC in Safe Mode. You need to start your computer in this mode to delete the malware without any obstacles. If you try to delete malware while in regular mode, your antivirus might get blocked.
Once the STOP DJVU ransomware is eliminated, you can start to recover your files using a backup. Plug it in your computer and simply move them from the external device to your chosen location. Make sure you do this step only with a clean computer, as the backup can get encrypted, too.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
GROD Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove GROD Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply