Cyber threat analysts discovered a new variant of ransomware which named .Tfude ransomware virus. It appends the .tfude file extension to encrypted file names. This article will provide you a brief summary of information related to this new ransomware virus and how to restore all encrypted personal files for free.
Once installed, the .Tfude ransomware virus will scan the computer for some file types and encrypt them. It will encrypt almost of files, including:
.x3f, .ybk, .wm, .rar, .xll, .bik, .xmmap, .hkdb, .lrf, .ibank, .ptx, .wsh, .xbdoc, .xld, .xlsx, .apk, .syncdb, .hvpl, .gdb, .wpd, .rofl, .zi, .wp5, .vcf, .rgss3a, .wb2, .desc, .wn, .odc, .crw, .rim, .xf, .slm, .cdr, .bc6, .flv, .das, .mrwref, .psk, .wpe, .xy3, .bay, .xls, .webdoc, .zdc, .db0, .xlk, .bkf, .pptx, .svg, .3ds, .txt, .ai, .sql, .ws, .sidd, .vdf, .p12, .pfx, .wgz, .wotreplay, .mdb, .rb, .wp, .mddata, .xlsb, .p7b, .ods, .indd, .r3d, .png, .dba, .wpa, .wmo, .pkpass, .pef, .iwd, .wbz, .3fr, .xmind, .wmv, .dng, .yal, .bc7, .d3dbsp, .3dm, .xlsx, .mdbackup, .t13, .re4, .orf, .sidn, .cer, .doc, .wav, .rwl, .hkx, .pak, .xdb, .ztmp, .xlgc, .kdc, .wbk, .odm, .wbmp, .wps, .wp7, .lvl, .csv, .wri, .wmd, .wcf, .bsa, .vpk, .dcr, .js, .dazip, .wsd, .vtf, .der, .nrw, wallet, .odp, .wpg, .ncf, .wp4, .y, .cr2, .pst, .zdb, .sis, .m4a, .cas, .xlsm, .vpp_pc, .erf, .xpm, .bar, .eps, .zip, .icxs, .asset, .odb, .wpt, .bkp, .menu, .wbm, .xyw, .1, .wma, .raw, .dmp, .upk, .webp, .css, .sum, .wp6, .ppt, .esm, .fsh, .mpqge, .psd, .wpl, .dwg, .wpw, .fos, .x, .m3u, .xx, .7z, .qdf, .accdb, .ff, .epk, .tax, .hplg, .gho, .pdf, .yml, .lbf, .wmf, .map, .avi, .wdp, .odt, .mov, .snx, .1st, .wps, .blob, .wbd, .raf, .2bp, .sav, .xlsm, .wpd, .tor, .rtf, .wpb, .srw, .ntl, .jpe, .qic, .layout, .litemod, .sie, .ltx, .xyp, .fpk, .cfr, .p7c, .big, .forge, .xls, .x3f, .pem, .arw, .docm, .xar, .itm, .mlx, .wma, .jpg, .docx, .0
When the ransomware encrypts a file, it will append the .tfude file extension to every encrypted file. Once the ransomware virus finished enciphering of all photos, documents and music, it will create a file called “_openme.txt” with ransom instructions on how to decrypt all personal files. An example of the ransom instructions is:
ALL YOUR FILES ARE ENCRYPTED Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information Don't try to use third-party decrypt tools because it will destroy your files. Discount 50% available if you contact us first 72 hours. To get this software you need write on our e-mail: email@example.com Reserve e-mail address to contact us: firstname.lastname@example.org Your personal ID:
You need to follow the guide below that will help you to completely remove .Tfude ransomware from your system as well as restore encrypted personal files, using only free tools.
Table of contents
- How to decrypt .tfude files
- How to remove .Tfude ransomware virus
- How to restore .tfude files
- How to protect your computer from .Tfude ransomware
How to decrypt .tfude files
The ransomnote offers victim to write on the following e-mails: email@example.com, firstname.lastname@example.org in order to purchase decrypt tool to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt .tfude files. Especially since you have a chance to restore encrypted files for free using free tools such as ShadowExplorer and PhotoRec.
There is absolutely no guarantee that after pay a ransom to the authors of the .Tfude ransomware, they will provide the necessary software and private key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove .Tfude ransomware virus
Most often it is not possible to remove the .Tfude ransomware virus manually. For that reason, our team developed several removal methods that we’ve summarized in a detailed guide below. Therefore, if you’ve the .Tfude ransomware virus on your PC system and are currently trying to have it removed then feel free to follow the instructions below in order to resolve your problem. Some of the steps will require you to restart your PC system or exit this web-page. So, read this tutorial carefully, then bookmark or print it for later reference.
How to get rid of .Tfude ransomware with Zemana Anti-malware
You can delete .Tfude ransomware automatically with a help of Zemana Anti-malware. We suggest this malware removal tool because it can easily get rid of ransomware viruss, PUPs, adware and toolbars with all their components such as folders, files and registry entries.
- Zemana Free can be downloaded from the following link. Save it to your Desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once the downloading process is complete, close all programs and windows on your computer. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once install is finished, click the “Scan” button to look for .Tfude ransomware virus and other kinds of security threats. This process can take some time, so please be patient. While the Zemana Anti Malware (ZAM) utility is checking, you may see count of objects it has identified as being infected by malicious software.
- After Zemana completes the scan, Zemana AntiMalware (ZAM) will create a list of malware. Review the scan results and then click “Next”. Once disinfection is finished, you can be prompted to restart your personal computer.
Delete .Tfude ransomware virus with MalwareBytes Anti Malware
If you’re having problems with the .Tfude ransomware virus removal, then download MalwareBytes Anti-Malware (MBAM). It is free for home use, and searches for and deletes various undesired apps that attacks your PC system or degrades PC performance. MalwareBytes AntiMalware can get rid of adware, PUPs as well as malware, including ransomware and trojans.
Please go to the following link to download MalwareBytes. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: April 15, 2020
When the downloading process is finished, close all windows on your PC system. Further, run the file called mb3-setup. If the “User Account Control” prompt pops up as displayed on the screen below, click the “Yes” button.
It will display the “Setup wizard” which will help you install MalwareBytes Free on the personal computer. Follow the prompts and don’t make any changes to default settings.
Once install is complete successfully, click Finish button. Then MalwareBytes Anti-Malware (MBAM) will automatically start and you can see its main window like below.
Next, press the “Scan Now” button to perform a system scan with this utility for the .Tfude ransomware and other malware. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour.
Once MalwareBytes Free has finished scanning your computer, a list of all items found is produced. Next, you need to click “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) will begin to remove .Tfude ransomware virus and other security threats. When that process is complete, you may be prompted to reboot your PC system. We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes to delete hijacker infections, ad-supported software and other malicious software.
Use KVRT to get rid of .Tfude ransomware virus from the computer
KVRT is a free portable application that scans your personal computer for malicious software such as the .Tfude ransomware and allows remove them easily. Moreover, it’ll also allow you delete any malicious internet browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) from the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you will see the KVRT screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin scanning your PC for the .Tfude ransomware and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC and the speed of your computer. While the Kaspersky virus removal tool application is checking, you can see how many objects it has identified as threat.
As the scanning ends, the results are displayed in the scan report as displayed in the figure below.
All found items will be marked. You can get rid of them all by simply click on Continue to begin a cleaning task.
How to restore .tfude files
In some cases, you can recover files encrypted by .Tfude ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Recover .tfude encrypted files using Shadow Explorer
The Windows has a feature named ‘Shadow Volume Copies’ that can help you to recover .tfude files encrypted by the .Tfude ransomware virus. The way described below is only to recover encrypted personal files to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Click the following link to download the latest version of ShadowExplorer for Microsoft Windows. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: September 15, 2019
After the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Start the ShadowExplorer utility and then choose the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the .Tfude ransomware virus as shown in the following example.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and click ‘Export’ button as shown in the figure below.
Run PhotoRec to recover .tfude files
Before a file is encrypted, the .Tfude ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file recover applications such as PhotoRec.
Download PhotoRec from the link below.
Category: Security tools
Update: March 1, 2018
After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as displayed in the figure below.
Select a drive to recover as shown on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as displayed in the figure below.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to select where restored files should be written, then click Search.
Count of restored files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as shown below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Tfude ransomware
Most antivirus software already have built-in protection system against the virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your system from .Tfude ransomware virus
Download CryptoPrevent by clicking on the link below. Save it to your Desktop.
Run it and follow the setup wizard. Once the install is finished, you will be shown a window where you can select a level of protection, as displayed in the figure below.
Now click the Apply button to activate the protection.
Now your PC system should be clean of the .Tfude ransomware virus. Delete MalwareBytes Anti-Malware and KVRT. We recommend that you keep Zemana Anti-Malware (to periodically scan your PC system for new malicious software). Make sure that you have all the Critical Updates recommended for Microsoft Windows operating system. Without regular updates you WILL NOT be protected when new ransomware, malicious applications and adware are released.
If you are still having problems while trying to remove .Tfude ransomware virus from your computer, then ask for help here.
j’ai tout mon ordinateur PC qui a été infecté par un TFUDE. j’ai tout sauvegardé dans un fichier appelé ZZZ dossier personnel crypté (tfude) et ensuite tout vidé. j’ai réinstallé Windows 10. comme je n’arrivais même pas à formater mon disque principal, j’en ai acheté un nouveau.
j’ai plusieurs disques. lorsque j’ai eu fini de tout réinstaller, j’ai copié le fichier ZZZ sur un disque (F).
j’ai essayé Shadow explorer 09 sans aucun succès.
j’ai essayé testdisk-7.0.win la fenêtre qui s’ouvre n’est pas du tout celle qui est sur votre site. c’est une fenêtre noir.
et mon disque F n’apparaît pas ???
j’y comprends rien et j’aurai aimé récupérer certains fichiers importants ! pouvez vous m’aider
merci pour votre réponse
The program is in the archive, so it needs to be unzipped. If you are unable to do this, then try using the WinRar.