• Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

MyAntiSpyware

Menu
  • Downloads
  • Threats
    • Adware
    • Browser Hijacking
    • Phishing
    • Ransomware
  • Questions and Answers
  • Recover Encrypted Files
  • Free Malware Removal Tools

.Refols file extension ransomware virus (Restore, Decrypt .refols files)

Myantispyware team April 4, 2019    

Cyber threat analysts discovered a new variant of ransomware that called ‘Refols ransomware‘. It appends the .refols file extension to encrypted file names. This post will provide you a brief summary of information related to this ransomware and how to restore (decrypt) encrypted personal files for free.

Files encrypted by Refols ransomware

Files encrypted by Refols ransomware

Refols ransomware is a malicious software that created in order to encrypt documents, photos and music. It hijack a whole PC system or its data and demand a ransom in order to unlock (decrypt) them. The developers of the .Refols ransomware have a strong financial motive to infect as many personal computers as possible. The files that will be encrypted include the following file extensions:

.das, .wp7, .wmo, .vdf, .pptm, .wbm, .wma, .flv, .vpp_pc, .desc, .png, .pem, .wpt, .wpe, .xyp, .wbc, .xy3, .sidd, .hkdb, .odp, .wma, .mcmeta, .bc6, .iwi, .xmmap, .xyw, .bik, .wpl, .fsh, .wbd, .sb, .x, .asset, .wpd, .bkf, .esm, .xls, .mdbackup, .rb, wallet, .p7b, .m4a, .js, .crt, .wsd, .avi, .t12, .xlsb, .ws, .arw, .vfs0, .sum, .wn, .ptx, .wps, .xlsx, .wbmp, .xx, .ltx, .wmf, .vtf, .xlsm, .hkx, .big, .dmp, .xwp, .dxg, .z, .xbdoc, .zdb, .css, .wbz, .cas, .xml, .cdr, .wp, .rim, .zi, .wire, .3fr, .menu, .vpk, .odm, .zif, .pdf, .yal, .r3d, .svg, .mp4, .webdoc, .itdb, .mpqge, .wpa, .cr2, .crw, .re4, .wp5, .rgss3a, .lvl, .xll, .ztmp, .zip, .mddata, .litemod, .x3f, .pkpass, .wotreplay, .zdc, .1st, .zabw, .wgz, .kdc, .xls, .mlx, .doc, .itl, .bsa, .m3u, .sr2, .mov, .py, .ff, .accdb, .sav, .raw, .layout, .dbf, .icxs, .odc, .bar, .csv, .cfr, .xmind, .tor, .odb, .wot, .ncf, .1, .wmv, .wav, .docx, .sie, .txt, .xdl, .wpg, .wmd, .rwl, .wdp, .rofl, .odt, .pef, .z3d, .eps, .bay, .dng, .t13, .lbf, .erf, .apk, .fos, .hplg, .x3f, .xxx, .3ds, .ibank, .jpg, .map, .xf, .wm, .kdb, .xld, .wbk, .sql, .pdd, .slm, .3dm, .orf, .xpm, .wp6, .db0, .arch00, .dba, .upk, .webp, .y, .iwd, .w3x, .wpb, .2bp, .sid, .0, .dazip, .psd, .bc7, .dcr, .docm, .fpk, .tax, .mef, .jpe, .srf, .nrw, .wpw, .d3dbsp, .p12, .wri, .m2, .blob, .wps, .xlsx, .bkp, .psk, .wmv, .x3d, .kf, .wp4, .zw, .p7c, .gho, .wsh, .pfx

When encrypting a file it will append the .refols extension to every encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to sample.doc.refols.

When the encryption process is done, the malware leaves a ransom note called ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all personal files. You can see an one of the variants of the ransom demanding message below:

ATTENTION!

Don't worry my friend, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-1LFQOfI0Se
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" folder if you don't get answer more than 6 hours.

Follow our guidance below to locate and remove .Refols ransomware virus from your computer as well as restore (decrypt) encrypted files for free.

Quick links:

  1. How to remove .Refols ransomware virus
  2. How to decrypt .refols files
  3. Use STOPDecrypter to decrypt .refols files
  4. How to restore .refols files
  5. How to protect your PC system from .Refols ransomware?
  6. Finish words

How to remove .Refols ransomware virus

The .Refols ransomware may hide its components which are difficult for you to detect and remove completely. This can lead to the fact that after some time, the ransomware once again infect your personal computer and encrypt your photos, documents and music. Moreover, I want to note that it is not always safe to get rid of ransomware virus manually, if you don’t have much experience in setting up and configuring the MS Windows operating system. The best method to search for and remove .Refols ransomware virus is to run malicious software removal applications which are listed below.




Remove .Refols ransomware virus with Zemana Anti-malware

Zemana Anti-malware is a tool which can remove ransomware viruses, adware software, potentially unwanted apps, trojans and other malicious software from your machine easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of machine resources.

Visit the following page to download Zemana Anti-Malware (ZAM). Save it directly to your MS Windows Desktop.

Zemana AntiMalware
Zemana AntiMalware
165054 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019

When the downloading process is complete, close all programs and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as on the image below.

Zemana AntiMalware (ZAM) icon

When the installation starts, you will see the “Setup wizard” which will help you set up Zemana Free on your personal computer.

Zemana Free SetupWizard

Once install is finished, you will see window as shown on the image below.

Now press the “Scan” button to start scanning your system for the .Refols ransomware virus related files, folders and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your system and the speed of your system. While the utility is checking, you can see number of objects and files has already scanned.

Zemana Free detect .Refols ransomware and other security threats

Once the scan is finished, the results are displayed in the scan report. Make sure all items have ‘checkmark’ and click “Next” button.

Zemana Free scan is finished

The Zemana Free will remove .Refols ransomware virus and other kinds of potential threats such as malicious software and trojans.

Run MalwareBytes Free to remove Refols ransomware

If you’re having problems with the Refols ransomware removal, then download MalwareBytes Free. It is free for home use, and finds and deletes various undesired applications that attacks your system or degrades PC system performance. MalwareBytes Free can remove trojans, worms, ransomware as well as other malware, including worms and adware.

MalwareBytes for Windows, scan for ransomware is finished

  1. Visit the following page to download MalwareBytes Anti Malware (MBAM). Save it on your Microsoft Windows desktop.
    Malwarebytes Anti-malware
    Malwarebytes Anti-malware
    327280 downloads
    Author: Malwarebytes
    Category: Security tools
    Update: April 15, 2020
  2. At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
  3. After downloading is finished, please close all apps and open windows on your system. Double-click on the icon that’s called mb3-setup.
  4. This will launch the “Setup wizard” of MalwareBytes Free onto your personal computer. Follow the prompts and do not make any changes to default settings.
  5. When the Setup wizard has finished installing, the MalwareBytes will run and display the main window.
  6. Further, press the “Scan Now” button to perform a system scan with this utility for the Refols ransomware and other malware. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour.
  7. After the scan is finished, MalwareBytes Free will show a list of all threats found by the scan.
  8. In order to get rid of all threats, simply click the “Quarantine Selected” button. After disinfection is finished, you may be prompted to reboot the computer.
  9. Close the AntiMalware and continue with the next step.

Video instruction, which reveals in detail the steps above.

Remove .Refols ransomware with KVRT

KVRT is a free removal utility that can be downloaded and use to remove ransomware, adware, malware, potentially unwanted programs, trojans and other threats from your PC. You can use this utility to search for threats even if you have an antivirus or any other security program.

Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the following link.

Kaspersky virus removal tool
Kaspersky virus removal tool
129296 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018

When the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the Kaspersky virus removal tool screen as shown on the screen below.

Kaspersky virus removal tool main window

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to detect .Refols ransomware and other malicious software. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see count of objects and files has already scanned.

KVRT scanning

When Kaspersky virus removal tool completes the scan, a list of all threats found is prepared as shown below.

KVRT scan report

Review the scan results and then click on Continue to start a cleaning procedure.

How to decrypt .refols files

The .Refols ransomware virus uses a hybrid encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the .Refols ransomware virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.

Should you pay the ransom

Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .refols files quickly. There is no guarantee that the creators of .Refols ransomware virus will live up to the word and give back your files.

Files encrypted by Refols ransomware

Files encrypted by Refols ransomware

With some variants of Refols ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.




Use STOPDecrypter to decrypt .refols files

Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).

STOPDecrypter

STOPDecrypter by Demonslay335

STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.refols).

Please check the twitter post for more info.

How to restore .refols files

In some cases, you can recover files encrypted by .Refols ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.




Restore .refols files with ShadowExplorer

An alternative is to restore .refols files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were damaged by .Refols ransomware. The steps below will give you all the details.

Download ShadowExplorer on your machine by clicking on the link below.

ShadowExplorer
ShadowExplorer
439674 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019

Once the download is complete, extract the downloaded file to a directory on your machine. This will create the necessary files as displayed on the screen below.

ShadowExplorer folder

Start the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you wish to recover files (folders) from as displayed below.

recover encrypted files with ShadowExplorer tool

On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as displayed on the screen below.

ShadowExplorer recover .refols files

And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.

Run PhotoRec to recover .refols files

Before a file is encrypted, the .Refols ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore programs like PhotoRec.

Download PhotoRec from the link below. Save it on your Windows desktop or in any other place.

PhotoRec
PhotoRec
221325 downloads
Author: CGSecurity
Category: Security tools
Update: March 1, 2018

Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.

testdisk photorec folder

Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed in the following example.

PhotoRec for windows

Select a drive to recover as shown on the screen below.

photorec choose drive

You will see a list of available partitions. Select a partition that holds encrypted files as shown below.

photorec select partition

Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.

PhotoRec file formats

Next, click Browse button to select where restored files should be written, then click Search.

photorec

Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.

When the recovery is complete, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as on the image below.

PhotoRec - result of restore

All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your PC system from .Refols ransomware?

Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.

Use HitmanPro.Alert to protect your computer from .Refols ransomware

All-in-all, HitmanPro.Alert is a fantastic tool to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from Microsoft Windows XP to Windows 10.

Please go to the link below to download HitmanPro.Alert. Save it on your Desktop.

HitmanPro.Alert
HitmanPro.Alert
6879 downloads
Author: Sophos
Category: Security tools
Update: March 6, 2019

When downloading is done, open the folder in which you saved it. You will see an icon like below.

HitmanPro.Alert file icon

Double click the HitmanPro Alert desktop icon. When the utility is launched, you’ll be shown a window where you can select a level of protection, like below.

HitmanPro.Alert install

Now click the Install button to activate the protection.

Finish words

Now your computer should be free of the .Refols ransomware. Uninstall MalwareBytes and Kaspersky virus removal tool. We suggest that you keep Zemana Free (to periodically scan your system for new malware). Moreover, to prevent ransomware virus, please stay clear of unknown and third party apps, make sure that your antivirus program, turn on the option to block or locate ransomware.

If you need more help with .Refols ransomware virus related issues, go to here.

 

Virus

 Previous Post

How to remove Torshinnotsave.info pop-ups [Chrome, Firefox, IE, Edge]

Next Post 

ms_13@aol.com .Ms13 ransomware virus (Restore .ms13 files)

Author: Myantispyware team

Myantispyware is an information security website created in 2004. Our content is written in collaboration with Cyber Security specialists, IT experts, under the direction of Patrik Holder and Valeri Tchmych, founders of Myantispyware.com.

1 Comment

  1. yeusuf
    ― April 7, 2019 - 2:09 pm  Reply

    i cant decrypt my file is there any way

Leave a Reply Cancel reply

New Guides

Ofliker.co.in Virus Removal Guide
scam alert
Remove Searchvaultly.com Redirect: Chrome, Edge, Firefox
Split Max AC Reviews, Scam or Legit, Uncovering the Truth!
Nusayin Cooling Ace Review: Scam or Legit? What You Need to Know
Imwing Cooling Ace Reviews, Scam or Legit, Uncovering the Truth!

Follow Us

Search

Useful Guides

Tech Support Scam
Remove Tech Support Scam pop-up virus [Microsoft & Apple Scam]
Files encrypted by ransomware become useless
How To Recover Encrypted Files (Ransomware file recovery)
search.yahoo.com
Remove Search.yahoo.com Redirect Virus ✅ (Quick & Easy) in 2024
DNSChanger
How to remove DNSChanger malware virus [Updated Apr. 2018]
Malwarebytes won’t install, run or update – How to fix it

Recent Guides

Torshinnotsave.info
How to remove Torshinnotsave.info pop-ups [Chrome, Firefox, IE, Edge]
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY
FORWARD THIS MAIL TO WHOEVER IS IMPORTANT email scam
I steal you privacy email scam
I steal you privacy. EMAIL SCAM
Ugledrabronle.info
How to remove Ugledrabronle.info pop-ups [Chrome, Firefox, IE, Edge]
minently.com
How to remove Minently.com redirect [Chrome, Firefox, IE, Edge]

Myantispyware.com

Myantispyware has been a trusted source for computer security and technology advice since 2004. Our mission is to provide reliable tech guidance and expert, practical solutions to help you stay safe online and protect your digital life.

Social Links

Pages

About Us
Contact Us
Privacy Policy

Copyright © 2004 - 2024 MASW - Myantispyware.com.