A new variant of ransomware virus has been discovered by cyber security specialists. It appends the .Puma, .Pumax or .Pumas extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware.
Once installed, the .Puma ransomware virus will scan the machine for some file types and encrypt them. It will encrypt almost of files, including:
.bkp, .menu, .bc6, .nrw, .lrf, .qic, .map, .xld, .wma, .rgss3a, .pkpass, .dazip, .raf, .blob, .ibank, .apk, .gdb, .xar, .indd, .esm, .rw2, .x, .litemod, .sie, .tax, .sql, .wot, .cdr, .layout, .xll, .xlsm, .sb, .icxs, .wpd, .t13, .cas, .mpqge, .bay, .ods, .wpt, .mdf, .bsa, .re4, .w3x, .m4a, .xyw, .d3dbsp, .pdd, .wdp, .odc, .p7c, .der, .raw, .odm, .fos, .wire, .mdb, .ybk, .xy3, .xlsx, .hkx, .rofl, .xlsm, .png, .wb2, .svg, .wp, .dbf, .dwg, .3ds, .xf, .kdc, .lbf, .wbk, .wcf, .cer, .rar, .doc, .wn, .zip, .dcr, .sav, .wp7, .ntl, .snx, .xbplate, .yml, .ptx, .erf, .mlx, .zif, .sum, .odb, .m3u, .das, .zip, .1st, .vcf, .wbc, .css, .cr2, .hplg, .bar, .forge, .wpe, .vfs0, .csv, .sid, .ai, .xwp, .dba, .wsh, .t12, .flv, .wp6, .z3d, .wav, .sidn, .xmind, .odt, .xml, .zi, .xxx, .srw, .crw, .lvl, .zw, .wsc, .rwl, .xx, .p7b, .xlgc, .wpb, .psd, .wdb, .pptm, .wpg, .pem, .wpa, .vdf, .upk, .wmo, .pef, .wps, .mef, .itm, .2bp, .wpl, .db0, .wmd, .vpp_pc, .mddata, .jpe, .hvpl, .wmv, .ysp, .itdb, .pptx, .x3f, .kf, .zabw, .tor, .pfx, .gho, .vpk, .js, .xls, .dmp, .cfr, .wp5, .mdbackup, .iwd, .p12, .wps, .wsd, .wm, .epk, .fsh, .hkdb, .wmv, .iwi, .fpk, .webp, .y, .ncf, .qdf, .crt, .bik, .itl, .xbdoc, wallet, .asset, .txt, .wmf, .wpw, .0, .docm, .xmmap, .bc7, .yal, .sidd, .pak, .sis, .ltx, .ws, .zdb, .xdl, .ztmp, .docx, .wp4, .3dm, .srf, .psk, .wbm, .wotreplay, .ppt, .mov, .bkf, .webdoc, .dng, .mp4, .x3d, .3fr, .pdf, .xdb, .x3f
Once the encryption process is complete, it will drop a ransomnote named “!readme.txt” offering decrypt all users personal files if a payment is made. An example of the ransom demanding message is:
ATTENTION PLEASE Your databases, files, photos, documents and other important files are encrypted and have the extension: .puma The only method of recovering files is to purchase an decrypt software and unique private key. After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files. You need to contact us by e-mail firstname.lastname@example.org send us your personal ID and wait for further instructions. For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE. Discount 50% avaliable if you contact us first 72 hours. E-mail address to contact us: email@example.com Reserve e-mail address to contact us: BM-2cXonzj9ovn5qdX2MrwMK4j3qCquXBKo4h@bitmessage.ch Your personal id:
Instructions that is shown below will allow you to remove .Puma ransomware as well as restore encrypted personal files stored on your PC system drives.
Table of contents
- How to decrypt .Puma, .Pumax, .Pumas files
- How to remove .Puma ransomware virus
- How to restore .Puma, .Pumax, .Pumas files
- How to protect your system from .Puma ransomware
How to decrypt .Puma, .Pumax, .Pumas files
If your files have been encrypted by the .Puma ransomware virus, We recommends: do not to pay the ransom. There is absolutely no guarantee that after pay a ransom to the authors of the .Puma ransomware, they will provide the necessary key to decrypt your files. If this malicious software make money for its creators, then your payment will only increase attacks against you.
Of course, decryption without the private key is not possible, but that does not mean that the .Puma ransomware virus must seriously disrupt your live. The free tools listed below can detect and remove this ransomware and prevent any further damage. After that you can restore encrypted documents, photos and music from their Shadow Copies or using file restore tool.
How to remove .Puma ransomware virus
There are a few ways that can be used to remove .Puma ransomware. But, not all ransomware like this virus can be completely deleted utilizing only manual methods. Most often you are not able to remove any ransomware utilizing standard Windows options. In order to remove .Puma ransomware you need run reliable removal utilities. Most IT security experts states that Zemana Anti-malware, Malwarebytes or KVRT utilities are a right choice. These free programs are able to detect and get rid of .Puma ransomware virus from your system for free.
How to automatically delete .Puma ransomware with Zemana Anti-malware
Zemana Anti-malware is a tool which can delete ransomware infections, ad-supported software, PUPs, hijackers and other malicious software from your PC easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of system resources.
Zemana Free can be downloaded from the following link. Save it directly to your Windows Desktop.
Author: Zemana Ltd
Category: Security tools
Update: March 3, 2018
When the downloading process is finished, close all software and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup like below.
When the install begins, you will see the “Setup wizard” which will help you install Zemana Anti Malware (ZAM) on your PC.
Once installation is complete, you will see window as shown below.
Now press the “Scan” button . Zemana program will scan through the whole PC system for the .Puma ransomware and other kinds of potential threats such as malware and potentially unwanted applications. A system scan can take anywhere from 5 to 30 minutes, depending on your system. When a threat is found, the number of the security threats will change accordingly. Wait until the the checking is done.
After the scanning is done, Zemana Anti Malware will show a list of all threats detected by the scan. Review the results once the tool has complete the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Next” button.
The Zemana Anti Malware will get rid of .Puma ransomware virus and other security threats.
How to get rid of .Puma ransomware with MalwareBytes
We recommend using the MalwareBytes Free. You can download and install MalwareBytes AntiMalware to scan for and delete .Puma ransomware virus from your computer. When installed and updated, this free malware remover automatically identifies and removes all threats exist on the PC.
MalwareBytes can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: February 5, 2019
When downloading is complete, close all windows on your system. Further, open the file called mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you install MalwareBytes Anti Malware (MBAM) on the system. Follow the prompts and do not make any changes to default settings.
Once setup is complete successfully, click Finish button. Then MalwareBytes Anti Malware will automatically launch and you may see its main window as displayed in the figure below.
Next, click the “Scan Now” button to perform a system scan for the .Puma ransomware virus and other malicious software and PUPs. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. When a threat is found, the number of the security threats will change accordingly.
After the scan is done, a list of all threats detected is produced. In order to delete all items, simply click “Quarantine Selected” button.
The MalwareBytes will start to remove .Puma ransomware and other security threats. When the clean up is finished, you may be prompted to reboot your computer. We advise you look at the following video, which completely explains the process of using the MalwareBytes AntiMalware (MBAM) to remove hijacker infections, adware and other malicious software.
Remove .Puma ransomware from PC system with KVRT
KVRT is a free removal utility that can be downloaded and use to remove viruss, adware, malware, PUPs, toolbars and other threats from your computer. You may use this tool to search for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it to your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Puma ransomware virus . A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC and the speed of your computer. While the Kaspersky virus removal tool tool is checking, you may see how many objects it has identified as being affected by malware.
Once that process is finished, the results are displayed in the scan report as displayed on the screen below.
In order to remove all threats, simply click on Continue to start a cleaning task.
How to restore .Puma, .Pumax, .Pumas files
In some cases, you can recover files encrypted by .Puma ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Run ShadowExplorer to recover .Puma files
A free tool named ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover .Puma documents, photos and music encrypted by the .Puma ransomware virus from Shadow Copies for free.
Visit the page linked below to download ShadowExplorer. Save it on your MS Windows desktop or in any other place.
Category: Security tools
Update: February 27, 2018
When the download is done, extract the saved file to a folder on your computer. This will create the necessary files as displayed on the image below.
Run the ShadowExplorerPortable application. Now select the date (2) that you wish to recover from and the drive (1) you wish to restore files (folders) from like below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and press the Export button as on the image below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to recover .Puma files
Before a file is encrypted, the .Puma ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover programs such as PhotoRec.
Download PhotoRec by clicking on the following link.
Category: Security tools
Update: March 1, 2018
When the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed in the figure below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to select where recovered personal files should be written, then click Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents like below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your system from .Puma ransomware
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your system from .Puma ransomware virus
Download CryptoPrevent on your MS Windows Desktop by clicking on the following link.
Run it and follow the setup wizard. Once the install is finished, you’ll be displayed a window where you can select a level of protection, as shown in the following example.
Now press the Apply button to activate the protection.
To sum up
Now your PC system should be free of the .Puma ransomware virus. Delete KVRT and MalwareBytes AntiMalware (MBAM). We suggest that you keep Zemana Free (to periodically scan your machine for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete .Puma ransomware from your system, then ask for help here.