One of the most dangerous types of computer infections is file-encrypting ransomware. Unlike screen-lockers, file-lockers, specifically ones that belong to the STOP/Djvu family, can harm a system by corrupting valuable files, editing settings, crippling the antivirus program, and even installing a password-stealing trojan.
Gusau Ransomware quicklinks
- How ransomware spreads
- How to remove Gusau
- Automatic Malware removal tools
- How to recover Gusau Ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Gusau Ransomware encrypted files
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
Gusau is a file-encrypting virus and one of the newest versions of STOP/Djvu ransomware. Its symptoms are files that don’t function anymore and have a new “.gusau” extension and file type (if you don’t see extensions, go to your files explorer, open the “View” tab at the top, and check the “File name extensions” box). Unfortunately, renaming the files won’t fix the corrupted files.
It’s possible that only some of your files are encrypted, or even that some folders remained untouched. Review your disk and look for where Gusau might have malfunctioned. However, most people lose the majority of their files to a ransomware virus.
Besides the changed files, a note from the developers of the virus is placed in the affected folders. It’s in a text file called “_readme” and starts like this:
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.…
The developers of Gusau try to encourage the victims to write to [email protected], [email protected], or @datarestore (Telegram) to agree about the payment method. As ransomware, the point of the Gusau virus is to make money for the criminals who made it. This does not always mean that the files are fixed, however. The payments aren’t done through any channel that would insure the victims against being scammed by the criminals. Instead, cryptocurrencies are used. They are decentralized, independent, and do not allow to recall the money that’s already been sent. So, the criminals sometimes restore the files, other times they take the money and leave the victim without help, and they don’t need to fear any consequences.
How ransomware spreads
Gusau and its sister viruses are hidden in torrents as cracked programs, applications for generating activation keys, and other tools that help people pirate commercial software. This is risky. Sometimes people disable their antivirus program while pirating because activators might be caught and blocked by security tools. This can help Gusau avoid detection. Another good thing for the virus is that the victim downloads and runs the virus themselves.
Speaking of files that the victims download themselves, a lot of cryptoviruses use malicious spam emails with infected attachments. The early version of Phobos did this. The malicious files by STOP ransomware rely on the victims to download and run them, but some other cryptoviruses don’t have that limitation.
Ransomware can infect a computer in the background, with an automatic download, if it’s distributed using malvertising. Not Gusau, but other viruses, like Matrix or Seon, do this — exploit vulnerabilities in an outdated browser or operating system. Another way is Remote Desktop hacking, but those attacks are often manual and mostly targeted at businesses, with appropriately big ransoms, averaging thousands of dollars. On the other hand, Gusau asks for “only” a few hundred dollars because it’s targeted at individuals.
To avoid Gusau and other ransomware infections, you should remember to be careful online:
- Update your software
- Scan your device regularly with a good-quality antivirus tool
- Don’t open unexpected email attachments without scanning them first
- Avoid websites with excessive and dishonest ads
- Stop pirating software (pay or use free alternatives)
- Disable or secure your Remote Desktop Protocol
However, it’s nearly impossible to completely avoid malware infections. That’s why backups are so important. A properly set up backup can protect you from the harm that a cryptovirus like Gusau causes.
How to remove Gusau
A strong antivirus program, such as Spyhunter, could remove Gusau or check if it’s still there. If your antivirus finds AZORult or another trojan, you might want to change your passwords and set up 2-step verification where you haven’t. Additionally, the ransomware might have modified your hosts file to stop the infected computers from accessing certain cybersecurity-related websites. Luckily, it’s simple to fix that by following this guide. Installing all the updates for your antivirus is also very important, as Gusau deletes the data of some of these programs to stop them from working correctly.
Finally, you can try and restore your data. A researcher is developing and updating a free program to help the victims of STOP, including Gusau. This post that he wrote explains things in detail. It includes a link to download STOPDecrypter, his program. If it doesn’t work on some of your data, that means that you can’t decrypt it, but feel free to keep the .gusau files. It’s unlikely, but some decryption options could become available later, for example, if the extortionists are arrested and the decryption keys are released. The locked files aren’t dangerous.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How to recover Gusau Ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Gusau Ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Gusau Ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Gusau Ransomware. You can check other tools here.Step 3. Restore Gusau Ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Gusau Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Gusau Ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.
