.Geno file extension virus. How to remove. Restore, Decrypt .geno files.

Cyber security experts has received multiple reports of Geno ransomware infection. It is a new malware that infects a computer, restricts user access to documents, photos and music, by encrypting them, until a ransom is paid to unlock (decrypt) them. This ransomware virus spreads via spam emails and malware files and appends the .geno file extension to encrypted files.

Geno virus known to encrypt almost all file types, including files with extensions:

.esm, .pak, .rtf, .fsh, .ff, .jpg, .1, .wp4, .dwg, .tax, .pdd, .sql, .fos, .desc, .wotreplay, .mdf, .ncf, .bkf, .2bp, .mdbackup, .mcmeta, .yal, .w3x, .m3u, .wmv, .bkp, .xpm, .dxg, .mpqge, .sav, .vdf, .hkx, .lrf, .bc7, .xyp, .txt, .wsc, .crt, .odc, .css, .qdf, .indd, .ybk, .cer, .m2, .1st, .zabw, .x3f, .xbplate, .bar, .r3d, .kdc, .mrwref, .qic, .ods, .mov, .xlsm, .vfs0, .x, .wps, .xmmap, .ptx, .wmf, .wmo, .dbf, .mddata, .xlsx, .ppt, .raf, .xy3, .xlk, .srw, .ysp, .vtf, .xlgc, .re4, .vpk, .rim, .wpl, .psd, .der, .rwl, .iwi, .3fr, .xlsm, .docx, .psk, .cr2, .sis, .ws, .wps, .syncdb, .webdoc, .upk, .hkdb, .bay, .dcr, .litemod, .cfr, .xxx, .wbm, .srf, .wav, .wp, .kdb, .wire, .xls, .wb2, .tor, .zw, .pem, .sr2, .xls, .wpd, .wbd, .dazip, .bik, .rar, .lbf, .jpeg, .hplg, .pst, .xwp, .ztmp, .jpe, .3ds, .wpa, .forge, .avi, .y, .wn, .eps, .odp, .js, .arch00, .mp4, .layout, .xld, .pfx, .nrw, .mlx, .rw2, .x3d, .ntl, .wbz, .docm, .sb, .webp, .dba, .xar, .zip, .snx, .sie, .wpd, .cdr, .xyw, .wp7, .mef, .wbc, .t12, .zif, .zi, .z3d, .map, .rofl, .accdb, .flv, .p7c, .wcf, .wpt, .xf, .asset, .cas, .xlsb, .m4a, .xmind, .wbk, .wsh, .xll, .rb, .wmv, .pef, .itm, wallet, .sidd, .iwd, .wbmp, .vcf, .big, .yml, .bsa, .wmd, .sum, .csv, .wgz, .icxs, .zdc, .wpg, .mdb, .pptm, .sid, .xx, .z, .t13, .dng, .slm, .xdl, .svg, .d3dbsp

The Geno ransomware virus blocks users’ files using a complex encryption algorithm, overwrites most of the content of the original files with the encrypted data and adds the .geno extension to every encrypted file. The user who sees the files with .geno extension understands that they are encrypted and will remain so until he pays the attackers the required amount of money for obtaining a special key that will decrypt the files. Usually, the authors of the Geno ransomware leave a ransom note named ‘_readme.txt’ to users who have infected their computer with this crypto malware, indicating the required amount of ransom.
 

 

Threat Summary

Name	Geno
Type	File locker, Crypto malware, Filecoder, Ransomware, Crypto virus
Encrypted files extension	.geno
Ransom note	_readme.txt
Contact	gorentos@bitmessage.ch
Ransom amount	$980 in Bitcoins
Symptoms	Encrypted documents, photos and music. Your personal files now have odd extensions that end with something like .geno. Files called like ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’.
Distribution ways	Phishing emails that look like they come from a reliable source. Drive-by downloads (crypto virus has the ability to infect the computer simply by visiting a website that is running harmful code). Social media posts (they can be used to mislead users to download malware with a built-in ransomware downloader or click a suspicious link). Cybercriminals use misleading advertisements to distribute malicious software with no user interaction required.
Removal	To remove Geno ransomware use the removal guide
Decryption	To decrypt Geno ransomware use the steps

 

You can follow our instructions below to search for and uninstall Geno ransomware virus from your personal computer as well as recover encrypted files for free.

Quick links

1. How to remove Geno ransomware virus
2. Use STOPDecrypter to decrypt .geno files
3. How to restore .geno files
4. How to protect your computer from Geno ransomware virus?

How to remove Geno ransomware virus

We can assist you remove Geno ransomware, without the need to take your personal computer to a professional. Simply follow the removal steps below if you currently have the ransomware virus on your PC system and want to remove it. If you’ve any difficulty while trying to uninstall the crypto virus, feel free to ask for our help in the comment section below. Read it once, after doing so, please print this page as you may need to close your web-browser or reboot your PC.

How to remove Geno virus with Zemana Free

Zemana Anti Malware highly recommended, because it can search for security threats such Geno ransomware, other malware and trojans which most ‘classic’ antivirus software fail to pick up on. Moreover, if you have any Geno removal problems which cannot be fixed by this utility automatically, then Zemana Anti-Malware (ZAM) provides 24X7 online assistance from the highly experienced support staff.

1. Please go to the following link to download Zemana Anti Malware. Save it to your Desktop.
   
   

   Zemana AntiMalware
   164028 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. Once you have downloaded the installation file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana Anti-Malware setup on your personal computer.
3. Select installation language and press ‘OK’ button.
4. On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
   
5. Finally, once the installation is done, Zemana Anti-Malware will open automatically. Else, if does not then double-click on the Zemana Anti Malware icon on your desktop.
6. Now that you have successfully install Zemana, let’s see How to use Zemana Free to uninstall Geno ransomware virus from your computer.
7. After you have started the Zemana Anti-Malware (ZAM), you’ll see a window as shown on the screen below, just click ‘Scan’ button . Zemana Anti Malware utility will start scanning the whole computer to find out crypto virus.
   
8. Now pay attention to the screen while Zemana Free scans your machine.
   
9. When Zemana Free is complete scanning your machine, Zemana Anti-Malware (ZAM) will display a scan report. Review the report and then press ‘Next’ button.
   
10. Zemana Free may require a reboot personal computer in order to complete the Geno virus removal process.
11. If you want to completely delete crypto malware from your PC system, then press ‘Quarantine’ icon, select all malware, adware software, PUPs and other items and click Delete.
12. Reboot your computer to complete the crypto malware removal procedure.

How to automatically remove Geno file virus with MalwareBytes AntiMalware

Manual Geno removal requires some computer skills. Some files and registry entries that created by the crypto malware can be not completely removed. We advise that use the MalwareBytes AntiMalware that are fully free your computer of crypto virus. Moreover, this free program will allow you to delete malware, PUPs, adware software and toolbars that your computer can be infected too.

MalwareBytes Anti Malware (MBAM) can be downloaded from the following link. Save it on your Desktop.

After the downloading process is done, close all windows on your PC. Further, run the file called mb3-setup. If the “User Account Control” prompt pops up as shown in the following example, click the “Yes” button.

It will show the “Setup wizard” which will allow you install MalwareBytes on the computer. Follow the prompts and don’t make any changes to default settings.

Once setup is complete successfully, click Finish button. Then MalwareBytes Free will automatically run and you can see its main window such as the one below.

Next, press the “Scan Now” button . MalwareBytes Free program will scan through the whole computer for the Geno ransomware virus, other malicious software, worms and trojans. While the MalwareBytes AntiMalware is checking, you may see number of objects it has identified either as being malware.

After the scan is complete, MalwareBytes AntiMalware will prepare a list of unwanted programs and crypto malware. Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Quarantine Selected” button.

The MalwareBytes Anti-Malware will remove Geno ransomware virus related folders,files and registry keys and add items to the Quarantine. When the clean-up is finished, you can be prompted to restart your PC system. We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Anti-Malware to remove browser hijackers, adware software and other malicious software.

Scan and free your computer of ransomware virus with KVRT

KVRT is a free removal utility that can be downloaded and run to remove crypto viruss, adware software, malware, PUPs, toolbars and other threats from your PC. You can run this utility to scan for threats even if you have an antivirus or any other security program.

Download Kaspersky virus removal tool (KVRT) from the link below.

After the downloading process is complete, double-click on the KVRT icon. Once initialization procedure is done, you will see the KVRT screen as on the image below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for checking your PC for the Geno ransomware and other known infections. This procedure can take some time, so please be patient. While the Kaspersky virus removal tool utility is scanning, you can see how many objects it has identified as being infected by malware.

After finished, you can check all items detected on your system as displayed below.

Review the scan results and then press on Continue to begin a cleaning process.

Use STOPDecrypter to decrypt .geno files

All files with the ‘.geno’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. To decrypt .geno files, you need a decryptor. Fortunately, there is a free Geno File Decrypt Tool that can decrypt .geno files. Below we provide instructions on where to download and how to use Geno File Decrypt Tool.

To decrypt .geno files, use Geno File Decrypt Tool

• Download Geno File Decrypt Tool from the following link.
  STOP Djvu decryptor
• Scroll down to ‘New Djvu ransomware’ section.
• Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
• Run decrypt_STOPDjvu.exe, read the license terms and instructions.
• On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
• Click the ‘Decrypt’ button.

Geno File Decrypt Tool is a free tool that allows everyone to decrypt .geno files for free. At the moment, the decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless. In this case, there is a chance to restore the encrypted files using alternative methods, which are described below.

How to find out which key was used to encrypt files

Since Geno File Decrypt Tool only decrypts files encrypted with the offline key, each Geno’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them. We recommend using the second method, as it is more accurate.

Find out the type of key using ‘_readme.txt’ file

• Open the ransom demand message (‘_readme.txt’ file).
• Scroll down to the end of the file.
• There you will see a line with the text ‘Your personal ID’.
• Below is a line of characters – this is your personal id.

Find out the type of key using ‘PersonalID.txt’ file

• Open disk C.
• Open directory ‘SystemID’.
• Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.

The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Geno virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.

Geno File Decrypt Tool : “No key for New Variant online ID”

If, when you try to decrypt .geno files, Geno File Decrypt Tool reports:

No key for New Variant online ID: *
Notice: this ID appears to be an online ID, decryption is impossible

It means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Geno authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.

Geno File Decrypt Tool : “No key for New Variant offline ID”

If, during decryption of .geno files, Geno File Decrypt Tool reports:

No key for New Variant offline ID: *t1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future.

It means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been obtained by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data.

If for some reason you were unable to decrypt the encrypted files, then We recommend to follow the news on our Facebook or YouTube channels. So you ‘ll know right away that it ‘s possible to decrypt .geno files.

This video step-by-step guide will demonstrate How to use STOP Djvu decryptor to decrypt encrypted files.

How to restore .geno files

In some cases, you can restore files encrypted by Geno crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted documents, photos and music.

Restore .geno files with ShadowExplorer

A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can recover .geno files encrypted by the Geno ransomware from Shadow Copies for free.

First, click the link below, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.

After downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.

Double click ShadowExplorerPortable to run it. You will see the a window as displayed in the following example.

In top left corner, select a Drive where encrypted personal files are stored and a latest restore point like below (1 – drive, 2 – restore point).

On right panel look for a file that you want to recover, right click to it and select Export as displayed on the image below.

Recover .geno files with PhotoRec

Before a file is encrypted, the Geno crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore software like PhotoRec.

Download PhotoRec from the following link.

Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.

Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll display a screen as displayed on the screen below.

Choose a drive to recover as displayed on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted files similar to the one below.

Click File Formats button and choose file types to restore. You can to enable or disable the restore of certain file types. When this is done, press OK button.

Next, click Browse button to choose where recovered documents, photos and music should be written, then click Search.

Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is finished, press on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as displayed on the image below.

All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your computer from Geno ransomware virus?

Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Run HitmanPro.Alert to protect your system from Geno crypto malware

All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows operating system from Microsoft Windows XP to Windows 10.

HitmanPro.Alert can be downloaded from the following link. Save it on your MS Windows desktop or in any other place.

When the download is finished, open the folder in which you saved it. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. Once the tool is launched, you will be shown a window where you can choose a level of protection, as shown in the figure below.

Now click the Install button to activate the protection.

To sum up

Now your PC system should be free of the Geno crypto malware. Remove MalwareBytes Free and KVRT. We suggest that you keep Zemana (to periodically scan your PC for new malware). Make sure that you have all the Critical Updates recommended for Windows OS. Without regular updates you WILL NOT be protected when new ransomware, malicious software and adware are released.

If you are still having problems while trying to uninstall Geno crypto malware from your PC, then ask for help here.