This week, security specialists has received reports of yet another ransomware named .Pdff ransomware virus. This ransomware virus spreads via spam emails and malware files and appends the .pdff file extension to encrypted files.
The .Pdff ransomware uses a hybrid encryption mode. The ransomware virus will encrypt almost all types of files, including common as:
.jpg, .csv, .orf, .xls, .fsh, .svg, .xar, .mddata, .vpk, .wbk, .wpa, .fos, .mdf, .wsh, .docm, .x3f, .esm, .xbdoc, .tax, .m3u, .sis, wallet, .zif, .snx, .t12, .lbf, .wcf, .raw, .xlsx, .p7b, .mov, .bc7, .ntl, .xlsm, .epk, .pef, .docx, .pst, .wbd, .arw, .wsc, .pkpass, .blob, .layout, .zip, .wpb, .icxs, .sav, .hplg, .dazip, .ff, .qic, .xmmap, .flv, .srw, .wdb, .wmv, .wdp, .apk, .ncf, .accdb, .rar, .map, .pdf, .pfx, .wps, .xyw, .rwl, .w3x, .xlgc, .z, .zabw, .wp7, .jpe, .desc, .sid, .3dm, .kdb, .zdb, .ods, .ai, .vpp_pc, .wmo, .mdb, .hkx, .re4, .d3dbsp, .ltx, .dwg, .wma, .rim, .rofl, .p12, .wav, .sql, .x3f, .m4a, .sie, .vcf, .doc, .wpt, .py, .css, .bar, .gho, .yml, .zw, .cdr, .raf, .2bp, .das, .zi, .dbf, .xf, .wotreplay, .wbz, .xyp, .cfr, .xlsx, .pdd, .bkp, .lrf, .xx, .psd, .odb, .gdb, .rw2, .xlk, .wmd, .png, .odt, .xls, .p7c, .xpm, .pptm, .nrw, .yal, .bkf, .xdb, .webp, .db0, .js, .7z, .wpw, .wp6, .xlsb, .cr2, .itm, .qdf, .mcmeta, .xbplate, .mdbackup, .y, .odc, .crt, .wgz, .upk, .dba, .sidn, .wp, .x3d, .avi, .fpk, .xmind, .m2, .wsd, .odp, .ppt, .erf, .wpd, .kf, .bsa, .big, .iwi, .forge, .kdc, .wm, .xy3, .zdc, .syncdb, .menu, .asset, .tor, .1, .bay, .mlx, .dxg, .ws, .sb, .rgss3a, .zip, .wbm, .crw, .wri, .litemod, .wb2, .bc6, .xml, .wmv, .cas, .ptx, .wp4, .wpl, .ztmp, .r3d, .wpe, .itdb, .wbc, .rtf, .wpg, .wma, .der, .dmp, .psk, .bik, .hkdb, .z3d, .lvl, .mrwref, .slm, .sum, .t13, .dng, .0, .ibank, .mef, .eps, .1st, .wpd, .rb, .pem, .sr2, .wn, .vtf, .wot, .xxx, .jpeg, .mp4, .xll, .wp5, .arch00, .xlsm, .vdf, .wmf, .vfs0, .sidd, .wps, .pak, .pptx, .3ds, .wire, .ybk, .indd, .dcr, .itl, .xdl, .hvpl, .x, .srf, .ysp
When encrypting a file it will add the .pdff extension to each encrypted file name to identify that the file has been encrypted. For example, a file called
sample.doc would be encrypted and renamed to
sample.doc.pdff. Once the procedure is finished, it will drop a file called ‘_openme.txt’ with ransom instructions. It includes instructions on how to purchase a private key to decrypt all files. An example of the ransomnote is:
ALL YOUR FILES ARE ENCRYPTED Don't worry, you can return all your files! All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees do we give to you? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can download video overview decrypt tool: Don't try to use third-party decrypt tools because it will destroy your files. Discount 50% available if you contact us first 72 hours. To get this software you need write on our e-mail: email@example.com Reserve e-mail address to contact us: firstname.lastname@example.org
If your documents, photos and music have been locked by the .Pdff ransomware virus, We suggests: do not to pay the ransom. The free utilities listed below has the ability to find out and remove this ransomware virus and prevent any further damage. After that you can recover encrypted files from their Shadow Copies or using file recover tool.
Table of contents
- How to decrypt .pdff files
- How to remove .Pdff ransomware virus
- How to restore .Pdff files
- How to protect your computer from .Pdff ransomware
How to decrypt .pdff files
The encryption mode is so strong that it’s practically impossible to decrypt .pdff files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($300-1000 in Bitcoins) developers of the .Pdff ransomware for a copy of the private (encryption) key.
With some variants of this ransomware virus, it is possible to use Windows Shadow Copies or file restore tools to recover files that have been encrypted by .Pdff ransomware virus. You can run the free utilities listed below in the article.
How to remove .Pdff ransomware virus
Before you run the procedure of restoring documents, photos and music which has been encrypted, make sure .Pdff ransomware virus is not running. Firstly, you need to delete this virus permanently. Thankfully, there are several malicious software removal tools which will effectively look for and get rid of .Pdff ransomware virus and other crypto virus malware from your computer.
Remove .Pdff ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can scan for security threats such .Pdff ransomware virus, adware and other malicious software which most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any .Pdff ransomware removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
- Please go to the following link to download Zemana Free. Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- When downloading is finished, close all software and windows on your computer. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, press Next button and follow the prompts.
- Once installation is finished, press the “Scan” button to find .Pdff ransomware virus and other kinds of potential threats. This procedure can take some time, so please be patient. While the utility is scanning, you can see how many objects and files has already scanned.
- Once Zemana Anti-Malware has completed scanning, you’ll be displayed the list of all detected threats on your PC. Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Next”. Once disinfection is finished, you can be prompted to restart your system.
How to delete .Pdff ransomware with MalwareBytes
We suggest using the MalwareBytes AntiMalware (MBAM) which are fully clean your machine of the ransomware. This free tool is an advanced malicious software removal program designed by (c) Malwarebytes lab. This application uses the world’s most popular anti-malware technology. It is able to help you remove ransomware virus, PUPs, malicious software, ad-supported software, toolbars, and other security threats from your system for free.
Installing the MalwareBytes Free is simple. First you’ll need to download MalwareBytes Anti Malware on your PC from the link below.
Category: Security tools
Update: April 15, 2020
After downloading is complete, close all applications and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup like below.
When the installation starts, you will see the “Setup wizard” that will help you install Malwarebytes on your PC.
Once installation is finished, you will see window as displayed in the figure below.
Now click the “Scan Now” button to perform a system scan for the .Pdff ransomware virus, other malware and PUPs. This procedure can take some time, so please be patient. While the utility is scanning, you can see how many objects and files has already scanned.
When finished, MalwareBytes Anti Malware will prepare a list of malicious software. Review the report and then press “Quarantine Selected” button.
The Malwarebytes will now remove .Pdff ransomware virus related files, folders and registry keys and move threats to the program’s quarantine. When the clean up is finished, you may be prompted to reboot your PC.
The following video explains step-by-step tutorial on how to delete browser hijacker infection, adware and other malware with MalwareBytes Free.
Remove Pdff ransomware virus with KVRT
KVRT is a free removal utility that can be downloaded and use to remove ransomware, computer viruses, ad supported software, malware, PUPs, toolbars and other threats from your computer. You can use this tool to find out threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your machine by clicking on the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as displayed in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to look for .Pdff ransomware and other known infections. This procedure can take some time, so please be patient. While the Kaspersky virus removal tool application is scanning, you can see how many objects it has identified as threat.
Once KVRT has completed scanning your personal computer, you can check all threats detected on your PC like below.
Next, you need to press on Continue to start a cleaning task.
How to restore .Pdff files
In some cases, you can restore files encrypted by .Pdff ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Recover .pdff files with ShadowExplorer
A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Windows 10 (8, 7 , Vista). You can recover .pdff documents, photos and music encrypted by the .Pdff ransomware virus from Shadow Copies for free.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your Windows Desktop from the following link.
Category: Security tools
Update: September 15, 2019
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as shown on the screen below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point as shown on the screen below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as displayed in the following example.
Run PhotoRec to restore .pdff files
Before a file is encrypted, the .Pdff ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore software such as PhotoRec.
Download PhotoRec from the following link. Save it on your MS Windows desktop.
Category: Security tools
Update: March 1, 2018
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as displayed in the figure below.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed on the image below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to select where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Pdff ransomware
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your computer from .Pdff ransomware
Download CryptoPrevent by clicking on the link below. Save it directly to your Windows Desktop.
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can choose a level of protection, as on the image below.
Now press the Apply button to activate the protection.
Now your system should be clean of the .Pdff ransomware. Delete MalwareBytes Anti-Malware and KVRT. We advise that you keep Zemana Anti Malware (ZAM) (to periodically scan your system for new malicious software). Moreover, to prevent ransomware, please stay clear of unknown and third party software, make sure that your antivirus program, turn on the option to stop or detect ransomware.
If you need more help with .Pdff ransomware related issues, go to here.