Green_Ray Ransomware

Also Known As: Green_Ray virus
Distribution: Low
Damage level: Severe

Green_Ray ransomware removal instructions

What is Green_Ray?

Green_Ray is ransomware identical to Mahasaraswati and JohnyCryptor. This ransomware encrypts files using an asymmetric encryption algorithm, generating public (to encrypt) and private (to decrypt) keys during encryption. In addition, Green_Ray extends the name of each compromised file with "green_ray(@)", thus making it straightforward to determine which files are encrypted.

After infiltrating the system, Green_Ray changes the desktop wallpaper and creates a "How to decrypt your files.txt" file, which contains an email address to contact cyber criminals. The Green_Ray desktop wallpaper states that files have been encrypted and that users must contact the email addresses provided to receive further instructions. After contacting cyber criminals, victims will then supposedly receive a reply stating that they must pay a ransom in exchange for the private key (which is stored on remote servers controlled by cyber criminals). This behavior is common to ransomware viruses. The size of ransom is currently unknown (but should be provided in the email reply). We strongly advise you to not to contact developers of Green_Ray. Research shows that many ransomware developers often ignore victims, despite payments being made. Thus, paying does not guarantee that your files will ever be decrypted. By paying, you will merely support their malicious businesses and waste your money. Unfortunately, there are no tools capable of restoring files compromised by this ransomware. Therefore, the only solution is to restore your files from a backup.

Screenshot of a message encouraging users to contact the developers of Green_Ray ransomware to decrypt their compromised data:

Green_Ray decrypt instructions

Ransomware viruses are often very similar. They stealthily infiltrate the system, encrypt files, and make demands for ransoms. There are two main differences - type of encryption algorithm used and size of ransom. Even the distribution methods are identical. Ransomware-type viruses are often proliferated using fake software updates, infectious email attachments (for example, javascript files, which appear to be .doc job application forms), peer-to-peer networks (such as, Torrent), and trojans. Therefore, it is very important to keep your installed software up-to-date. Furthermore, be cautious when downloading files from third party sources and never open any attachments sent from suspicious email addresses. Using a legitimate anti-virus/anti-spyware suite is also paramount.

Ransom-demand message (Green_Ray desktop wallpaper):

Attention! Your files are encrypted During the restoration, please mail [email protected] Note! Attempt self-recovery destroy files.

Screenshot of "How to decrypt your files.txt" file:

Green_Ray text file

Screenshot of files encrypted by Green_Ray:

Files encrypted by Green_Ray

Green_Ray ransomware removal:

Instant automatic malware removal: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Malwarebytes is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Malwarebytes By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Green_Ray virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Green_Ray ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Green_Ray ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Green_Ray are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Green_Ray, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Green_Ray ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Green_Ray ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Green_Ray virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Green_Ray virus on your mobile device.
We Recommend:

Get rid of Windows malware infections today:

Download Malwarebytes

Platform: Windows

Editors' Rating for Malwarebytes:
Editors ratingOutstanding!

[Back to Top]

To use full-featured product, you have to purchase a license for Malwarebytes. 14 days free trial available.