The only purpose of GUER ransomware is to illegally restrict victim’s access to personal files kept on a computer and demand a ransom for their recovery service. Since all of us keep relevant work, study, travel or family related material on our computers, losing such data at once can seem like a disaster (especially if you do not have data backup). We must mention that the malware corrupts only the first 150 KB of file, however this does enough to make the most file formats unusable. However, some audio and video files can be repaired with some file information loss at the beginning of the file. More detailed explanation can be found here. GUER decryption tool is held by cybercriminals who suggest purchasing it for a specified price. In other words, the attackers demand a ransom for file recovery and the price of it depends on how quickly the victim writes to the attackers, purchases cryptocurrency equal to required amount and transfers it to the cybercriminals. According to them, if the victim manages to contact them and make the transaction within 72 hours, the price will be $490. Otherwise, it rises to $980. When contacted via email, criminals explain that transaction needs to be made in Bitcoins. This keeps them untraceable. To encourage the victim to pay sooner, the attackers suggest decrypting one .guer file for free. The file, however, must be small in size and not contain any relevant information. Experts from Geek’s Advice team as well as FBI do not advise making ransom payments. Here are some reasons why it is a wrongful practice:
Paying the ransom might not result in data decryption. There is no way you can force the criminals help you, even if you pay.Ransom payments can be illegal in certain countries.Ransomware developers and operators collect incredible amounts of money each year. This can lure other people to join the industry, especially when using technologies to hide the identity. Please, do not contribute to the growth of these numbers by paying!STOP/DJVU variants like GUER virus tend to drop AZORULT malware on compromised systems. It can steal various information such as login information for various websites. Access to such data can be useful when trying to blackmail computer users further. Therefore, think twice before paying criminals who will likely try to target you again.
REPAIR VIRUS DAMAGE
Damage caused by ransomware, explained
GUER ransomware is a highly malicious virus which begins the attack by masquerading itself as a fake Windows update screen (winupdate.exe). Cybersecurity experts agree that it is used to trick the victim into thinking that a system slowdown is caused by installation of essential Windows operating system components. Meanwhile, another process (named by 4 random digits) scans the entire computer and encrypts files such as documents, videos, audio files, archives, executables, project files and others using military-grade encryption algorithms. During the scan, the virus drops ransom notes in every folder. Next, the virus deletes Volume Shadow Copies so that available system restore points would become useless. The malware uses the following Command Line task to do this: vssadmin.exe Delete Shadows /All /Quiet Finally, the ransomware uploads a list of website names to Windows HOSTS file and maps them to resolve to localhost IP, which, in other words, means that the victim will no longer succeed to open them. In fact, attempts to reach one of the said websites from the list will result in DNS_PROBE_FINISHED_NXDOMAIN error in Google Chrome, Firefox or other browsers. This way, the virus tries to prevent the victim from accessing ransomware help providing sites online as well as various self-help forums. Therefore, we strongly recommend you to reset HOSTS file back to default as explained here. You may also find some ransomware-dropped files while browsing through affected computer folders. For example, the virus drops bowsakkdestx.txt (might be named differently), a file that contains your public encryption key and personal ID string and PersonalID.txt (your ID only). You can see an example of such file down below. Bear in mind that ransomware isn’t the only threat that was dropped to your computer during the infection phase. This threat often arrives along with AZORULT Trojan, an information stealer capable of sending your Steam, Skype, Telegram login credentials, browser-saved data (such as browsing history, cookies, saved passwords) to criminals. The Trojan also allows remote access to your files and downloading more malware to the computer. Due to listed malware damage, we recommend you to protect your computer as soon as you can. Firstly, you will need to scan your PC with an up-to-date antivirus software. Our team recommends using INTEGO Antivirus, a robust security software that provides real-time protection, blocks malicious downloads and has VB100 certification. Next step is to repair virus damage on Windows OS files, in which case RESTORO is a program dedicated for this task.
Ransomware Summary
REPAIR VIRUS DAMAGE
File-encrypting malware distribution methods
It is important to know how ransomware-type threats spread in order to avoid getting infected in the future. Most of STOP/DJVU variants, including GUER ransomware, can be found in various illegal torrent downloads, mostly various software cracks. Cybercriminals inject malicious scripts to these files that immediately download and run the ransomware on victim’s computer as soon as the user tries to illegally activate paid software. Victims reported getting infected after downloading cracks for these popular programs:
Adobe Photoshop;Corel Draw;Cubase;Microsoft Office;Adobe Illustrator;Windows activation tools for example, KMSPico.
Needless to say, you shouldn’t be trying to infringe legitimate software copyrights and only obtain it from official sources. Attempts to get it illegally almost always result in some kind of computer infection. Even if you do not notice suspicious signs after a “successful” installation, your computer might still be compromised with silent malware such as cryptocurrency miner, Trojan, remote access tool, backdoor, and similar. Another successful way to deliver malware is attacking people with malicious email spam. For this technique, crooks compose convincing email messages pretending to be someone from reputable company or a colleague. Often times, they send documents in XLS, DOCX, PDF formats named as invoice, order summary, parcel delivery details or similar, hoping that the victim will open the document out of sole curiosity even if such email was completely unexpected. These file formats allow scripts, and activating them can lead to a severe computer infection. Our team advises to look out for such red flags identifying a potentially deceptive and malicious email:
You did not expect to receive the email at all;
The message tone seems pushing and urges you to open attached documents quickly;The email message is full of grammar errors and added company logos seem low quality or placed/aligned unprofessionally;Spoofed email address;Your email box provider marks the letter as potential spam.
Victims of STOP/DJVU ransomware should avoid downloading various so-called decryption tools from unconfirmed sources, as these can simply be another ransomware in disguise. One of such examples is ZORAB, which is known to be hiding in deceptive STOP/DJVU decryption tools online.
Remove GUER ransomware virus and decrypt your files
We recommend you to remove GUER ransomware virus today to secure your computer and sensitive data, plus prevent the malware from roaming in your PC system any longer. Our team recommends a two-step rescue plan: first, you need to remove the threats using an up-to-date antivirus which has excellent detection rates. Our pick is INTEGO Antivirus, which has VB100 certification. Second step – scan with RESTORO to repair virus damage to Windows OS files. Once GUER ransomware virus removal is done, please consider taking these recommended post-infection actions:
Report cybercrime incident to your local authority responsible for handling such cases. You can find some references below the article.Use data backups to restore files (if you have them).Try instructions to decrypt or repair files affected by STOP/DJVU versions.We also recommend changing your passwords, especially for sites that you chose to save login credentials for in your browser.
OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove GUER ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove GUER ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt GUER files
Fix and open large GUER files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. GUER ransomware virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt GUER files, follow the given tutorial.
Meanings of decryptor’s messages
The GUER decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your GUER extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of GUER ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.