GAYN Virus File Decrypt & Removal

While I was analyzing malware samples submitted to VirusTotal¹, I made an intriguing discovery: the Gayn ransomware is actively encrypting files and adding the “.gayn” extension to their original filenames. In simpler terms, it takes a file like “a.jpg” and renames it as “a.jpg.gayn“, or transforms “b.doc” into “b.doc.gayn“. This ransomware has truly wreaked havoc on countless victims.

Gayn belongs to the Djvu family, which is known for its association with other malware, such as Vidar Stealer and RedLine Stealer, which are information stealers. Threat actors have been observed distributing ransomware from the Djvu family along with these malicious programs.

Feeling compelled to help those affected, I have compiled an extensive and comprehensive list of potential solutions, invaluable tips, and best practices to combat the destructive Gayn virus and regain access to encrypted files. However, I must emphasize that the success of file recovery heavily depends on the unique circumstances surrounding each case, and in some unfortunate situations, recovery may prove to be an insurmountable challenge.

Interestingly, the Gayn ransomware employs a distinct encryption key for each victim, except for one exceptional scenario:

• If the ransomware fails to establish a connection with its command and control server (C&C Server) before initiating the encryption process, it resorts to using an offline key. This specific key is shared among all victims, providing a glimmer of hope for those affected by this malicious ransomware attack. It means there is a possibility of decrypting files that have fallen victim to this devastating cyber assault.

What is Gayn virus?

☝️ It can be correctly identify as a STOP/DJVU ransomware virus.

The Gayn ransomware is a kind of threat that encrypted your files and then forces you to pay for them. The image below gives a clear vision of how the files with “.gayn” extension look like:

Gayn File (STOP/DJVU Ransomware)

This _readme.txt file asking payment is for restore files via decryption key:

_readme.txt (STOP/DJVU Ransomware) – The scary alert demanding from users to pay the ransom to decrypt the encoded files contains these frustrating warnings

The Gayn ransomware arrives as a set of processes that are meant to perform different tasks on a victim’s computer. One of the first ones being launched is winupdate.exe, a tricky process that displays a fake Windows update prompt during the attack. This is meant to convince the victim that a sudden system slowdown is caused by a Windows update. However, at the same time, the ransomware runs another process (usually named by four random characters) which starts scanning the system for target files and encrypting them. Next, the ransomware deletes Volume Shadow Copies from the system using the following CMD command:

vssadmin.exe Delete Shadows /All /Quiet

Once deleted, it becomes impossible to restore the previous computer state using System Restore Points. The thing is, ransomware operators are getting rid of any Windows OS-based methods that could help the victim to restore files for free. In addition, the crooks modify the Windows HOSTS file by adding a list of domains to it and mapping them to the localhost IP. As a result, the victim will run into a DNS_PROBE_FINISHED_NXDOMAIN error when accessing one of the blocked websites.

We noticed that ransomware attempts to block websites that publish various how-to guides for computer users. It is evident that by restricting specific domains, the crooks are trying to prevent the victim from reaching relevant and helpful ransomware-attack-related information online. The virus also saves two text files on the victim’s computer that provide attack-related details – the victim’s public encryption key and personal ID. These two files are called bowsakkdestx.txt and PersonalID.txt.

After all these modifications, the malware doesn’t stop. Variants of STOP/DJVU tend to drop Vidar password-stealing Trojan on compromised systems. This threat has a lengthy list of capabilities, such as:

• Stealing Steam, Telegram, Skype login / password;
• Stealing cryptocurrency wallets;
• Downloading malware to the computer and running it;
• Stealing browser cookies, saved passwords, browsing history, and more;
• Viewing and manipulating files on victim’s computer;
• Allowing the hackers to perform other tasks on the victim’s computer remotely.

The cryptography algorithm used by DJVU/STOP virus is AES-256. So, if your data got encrypted with an online decryption key, which is totally unique. The sad reality is that it is impossible to decrypt the files without the unique key.

In case if Gayn worked in online mode, it is impossible for you to gain access to the AES-256 key. It is stored on a distant server owned by the frauds who promote the Gayn virus.

For receiving decryption key the payment should be $980. To obtain the payment details, the victims are encouraged by the message to contact the frauds by email ([email protected]).

The message by the ransomware states the following information:

ATTENTION!

Don't worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

https://we.tl/t-WJa63R98Ku

Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

[email protected]

Reserve e-mail address to contact us:

[email protected]

Your personal ID:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Do not pay for ransom!

Please, try to use the available backups, or Decrypter tool

The _Readme.txt file states that computer owners must contact the Gayn representatives within 72 hours from the moment the files were encrypted in order to receive a 50% rebate, reducing the ransom amount to $490. However, it is strongly advised not to pay the ransom or engage with these fraudulent individuals.

All these types of viruses follow a similar procedure to generate a unique decryption key for recovering the encrypted data. Unless the ransomware is still in the developmental stage or possesses hard-to-detect flaws, manual recovery of the encrypted data is not feasible. The only reliable method to safeguard your valuable data is to regularly create backups of your crucial files.

It is important to note that even if you maintain regular backups, they should be stored in a secure location separate from your main workstation. For example, you can store the backup on a USB flash drive or an external hard drive. Alternatively, you can utilize online (cloud) storage services for backup purposes.

It goes without saying that keeping your backup data on the same device as your main computer is not a wise decision. Doing so could result in the backup data being encrypted along with the rest of your files. Therefore, it is essential to store your backups in a separate and secure location.

How I was infected?

Ransomware has a various methods to built into your system. But it doesn’t really matter what method was used in your case.

Gayn virus attack following a successful phishing attempt.

However, there are common ways through which the STOP/Djvu ransomware may infiltrate your PC:

• It can be secretly installed alongside other apps, particularly utilities that are offered as freeware or shareware.
• Another way is through suspicious links in spam emails, leading to the installation of the virus.
• Online free hosting resources can also serve as a source of infiltration.
• Additionally, downloading pirated software from illegal peer-to-peer (P2P) resources can result in the injection of the Gayn ransomware.

Instances have been reported where the virus disguised itself as a legitimate tool, often appearing in messages that demand unwanted software or browser updates. This is how online fraudsters manipulate users, coercing them into manually installing the Gayn ransomware, thereby involving them directly in the installation process.

It’s worth noting that the fake update alerts will not explicitly indicate the virus installation. Instead, these alerts typically mention the need to update Adobe Flash Player or some other dubious program.

Moreover, using cracked applications poses a significant risk. Engaging in illegal P2P activities not only violates copyright laws but also exposes users to serious malware, including the Gayn ransomware.

In conclusion, what steps can you take to protect your device from the Gayn ransomware? Although there is no foolproof method, I would like to provide you with some helpful tips to prevent the infiltration of Gayn. When installing free software, be cautious and carefully review what the installers offer in addition to the main program. Avoid opening attachments from suspicious emails or files from unknown senders. It is essential to keep your security program updated at all times.

The malware does not reveal itself openly. It won’t appear in the list of your available programs. Instead, it operates discreetly in the background, starting as soon as you launch your computer.

How To Remove Gayn Virus?

In addition to encode a victim’s files, the virus has also started to install the Vidar Stealer on computer to steal account credentials, cryptocurrency wallets, desktop files, and more.

1. Run the setup file.

   
   

2. Press “Install” button.

   

3. Once installed, Anti-Malware will automatically run.

   

4. Wait for complete.

   

5. Click on “Clean Now”.