How to remove Gujd ransomware

Gujd ransomware comes from the notorious Djvu/STOP ransomware family that has already released hundreds of file-encrypting malware versions. This version can be differentiated from the rest by the .gujd file extension that gets added to encrypted files. The ransomware drops a _readme.txt ransom note and is currently not decryptable for free.

 

Is it possible to recover Gujd ransomware encrypted files?

Gujd ransomware comes from the Djvu ransomware family, which makes it a very dangerous infection. As soon as it is initiated, it will start encrypting files. This is hard to not notice, considering that your photos, videos, images, documents, and all other personal files will suddenly be unopenable. However, to distract users until the decryption process is complete, the ransomware will show a fake Windows Update window, as displayed below.

You will notice that all encrypted files will have a .gujd file extension added to them, and this is likely what allowed you to identify this ransomware as Gujd ransomware. As an example, image.jpg would become image.jpg.gujd. While all Djvu/STOP ransomware versions have different extensions that they add to encrypted files, the format remains the same.

Once it’s done encrypting files, Gujd ransomware will drop a _readme.txt ransom note in all folders that contain encrypted files. The note is fairly standard for ransomware and is essentially identical to the ones dropped by other ransomware from this family. It will first explain that your files have been encrypted but you can recover them if you get the decryptor. But to get the decryptor, the cybercrooks behind this ransomware first want you to pay the ransom. Just like all other Djvu versions, Gujd ransomware demands that victims pay $980, or $490 if contact is made within the first 72 hours. manager@mailtemp.ch and helpmanager@airmail.cc are the provided email addresses for users who wish to make contact.

For users who have not encountered ransomware before, paying the ransom may seem like the best option to recover valuable files but we must caution them that paying will not necessarily lead to file decryption. It’s very much possible that the cyber crooks operating this malware will just take the money and not send the decryptor, considering that there is nothing obligating them to do otherwise. They are cybercriminals after all.

For users who have a backup, file recovery shouldn’t be an issue, provided the ransomware is removed first. If ransomware is still present when the backup is accessed, those files would be encrypted as well. For those who do not have a backup, file recovery is much more complicated.

Software company Emsisoft has released a STOP/Djvu free decryptor but it rarely works for newer versions, which unfortunately includes Gujd ransomware. The reason the decryptor works for older versions of Djvu is that the same offline key was used to encrypt files for all users. However, the versions released after 2019 mostly use online keys for file encryption, meaning the key is different in each case. Without those keys, it’s impossible to create a decryptor that works for all users. However, it is possible that the keys will be released sometime in the future, either by the cybercrooks themselves when they close up shop or by law enforcement when they apprehend those responsible for the ransomware. Thus, if you’re out of options, backup the encrypted files and wait for a free decryptor.

Lastly, we should warn you that Internet forums are full of fake decryptors, which, if downloaded, would infect the computer with additional malware. Only trust legitimate and known sources, such as NoMoreRansom, to provide safe decryptors.

How does ransomware infect a computer?

Ransomware can spread in a variety of different ways, including fake downloads/updates, trojans, spam email attachments, torrents, etc. Generally, developing good browsing habits can go a long way towards preventing a ransomware infection.

It’s not a secret that ransomware and other malware infections often spread via torrents, or more specifically, torrent websites. Those sites are notoriously badly moderated, meaning anyone can upload malicious content without issue. Torrents for content that’s particularly popular are likely to contain malware, which is one of the reasons why users are advised against pirating. For example, when a popular show like Game of Thrones released episodes, their torrents often had malware in them. Not to mention that pirating is essentially stealing content.

Spam email attachments remain one of the most common ways individual users infect their computers with ransomware. Cybercrooks buy thousands of leaked email addresses from dark web forums and then use them to launch malspam campaigns. All users need to do is open the attachment, and the malware can initiate. Fortunately, for users, the majority of these emails are very obvious, thus infection is easily avoidable. The emails are usually very generic and do not contain any information that explicitly applies to the potential victim unless someone is targeted specifically. The emails are sent from generic email addresses made up of random letters and numbers, contain quite a lot of grammar and spelling mistakes, address users in generic terms like User, Customer, Member, etc., and put strong pressure on users to open the attachment by claiming it’s an important document. It’s recommended to always be skeptical of unsolicited emails with attachments, as is scanning the files with VirusTotal or anti-virus software before opening them.

Another common way users pick up ransomware is via trojans. If your computer is infected with a trojan, which got in using one of the above-discussed methods, it may be able to download the ransomware without you even noticing.

Gujd ransomware removal

Considering that ransomware is quite a complex infection, it’s not a good idea to try to remove Gujd ransomware manually, as you could end up causing even more damage to your system. Thus, we highly recommend you use anti-virus software to delete Gujd ransomware fully. Once the ransomware is fully gone, you can safely connect to your backup to start recovering files. Keep in mind that if you access your backup while the ransomware is still present, those files would become encrypted as well.

Lastly, we should mention that just because you delete Gujd ransomware does not mean your files will be automatically decrypted. You need a decryptor to do that. But if you are out of options, back up the encrypted files and wait for a free decryptor to become available in the future. As we mentioned above, NoMoreRansom is a good source to check for decryptors.