Cyber threat analysts discovered a new variant of ransomware that called ‘Refols ransomware‘. It appends the .refols file extension to encrypted file names. This post will provide you a brief summary of information related to this ransomware and how to restore (decrypt) encrypted personal files for free.
Refols ransomware is a malicious software that created in order to encrypt documents, photos and music. It hijack a whole PC system or its data and demand a ransom in order to unlock (decrypt) them. The developers of the .Refols ransomware have a strong financial motive to infect as many personal computers as possible. The files that will be encrypted include the following file extensions:
.das, .wp7, .wmo, .vdf, .pptm, .wbm, .wma, .flv, .vpp_pc, .desc, .png, .pem, .wpt, .wpe, .xyp, .wbc, .xy3, .sidd, .hkdb, .odp, .wma, .mcmeta, .bc6, .iwi, .xmmap, .xyw, .bik, .wpl, .fsh, .wbd, .sb, .x, .asset, .wpd, .bkf, .esm, .xls, .mdbackup, .rb, wallet, .p7b, .m4a, .js, .crt, .wsd, .avi, .t12, .xlsb, .ws, .arw, .vfs0, .sum, .wn, .ptx, .wps, .xlsx, .wbmp, .xx, .ltx, .wmf, .vtf, .xlsm, .hkx, .big, .dmp, .xwp, .dxg, .z, .xbdoc, .zdb, .css, .wbz, .cas, .xml, .cdr, .wp, .rim, .zi, .wire, .3fr, .menu, .vpk, .odm, .zif, .pdf, .yal, .r3d, .svg, .mp4, .webdoc, .itdb, .mpqge, .wpa, .cr2, .crw, .re4, .wp5, .rgss3a, .lvl, .xll, .ztmp, .zip, .mddata, .litemod, .x3f, .pkpass, .wotreplay, .zdc, .1st, .zabw, .wgz, .kdc, .xls, .mlx, .doc, .itl, .bsa, .m3u, .sr2, .mov, .py, .ff, .accdb, .sav, .raw, .layout, .dbf, .icxs, .odc, .bar, .csv, .cfr, .xmind, .tor, .odb, .wot, .ncf, .1, .wmv, .wav, .docx, .sie, .txt, .xdl, .wpg, .wmd, .rwl, .wdp, .rofl, .odt, .pef, .z3d, .eps, .bay, .dng, .t13, .lbf, .erf, .apk, .fos, .hplg, .x3f, .xxx, .3ds, .ibank, .jpg, .map, .xf, .wm, .kdb, .xld, .wbk, .sql, .pdd, .slm, .3dm, .orf, .xpm, .wp6, .db0, .arch00, .dba, .upk, .webp, .y, .iwd, .w3x, .wpb, .2bp, .sid, .0, .dazip, .psd, .bc7, .dcr, .docm, .fpk, .tax, .mef, .jpe, .srf, .nrw, .wpw, .d3dbsp, .p12, .wri, .m2, .blob, .wps, .xlsx, .bkp, .psk, .wmv, .x3d, .kf, .wp4, .zw, .p7c, .gho, .wsh, .pfx
When encrypting a file it will append the .refols extension to every encrypted file name to identify that the file has been encrypted. For example, a file named
sample.doc would be encrypted and renamed to
When the encryption process is done, the malware leaves a ransom note called ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all personal files. You can see an one of the variants of the ransom demanding message below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1LFQOfI0Se Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours.
Follow our guidance below to locate and remove .Refols ransomware virus from your computer as well as restore (decrypt) encrypted files for free.
- How to remove .Refols ransomware virus
- How to decrypt .refols files
- Use STOPDecrypter to decrypt .refols files
- How to restore .refols files
- How to protect your PC system from .Refols ransomware?
- Finish words
How to remove .Refols ransomware virus
The .Refols ransomware may hide its components which are difficult for you to detect and remove completely. This can lead to the fact that after some time, the ransomware once again infect your personal computer and encrypt your photos, documents and music. Moreover, I want to note that it is not always safe to get rid of ransomware virus manually, if you don’t have much experience in setting up and configuring the MS Windows operating system. The best method to search for and remove .Refols ransomware virus is to run malicious software removal applications which are listed below.
Remove .Refols ransomware virus with Zemana Anti-malware
Zemana Anti-malware is a tool which can remove ransomware viruses, adware software, potentially unwanted apps, trojans and other malicious software from your machine easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of machine resources.
Visit the following page to download Zemana Anti-Malware (ZAM). Save it directly to your MS Windows Desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is complete, close all programs and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as on the image below.
When the installation starts, you will see the “Setup wizard” which will help you set up Zemana Free on your personal computer.
Once install is finished, you will see window as shown on the image below.
Now press the “Scan” button to start scanning your system for the .Refols ransomware virus related files, folders and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your system and the speed of your system. While the utility is checking, you can see number of objects and files has already scanned.
Once the scan is finished, the results are displayed in the scan report. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana Free will remove .Refols ransomware virus and other kinds of potential threats such as malicious software and trojans.
Run MalwareBytes Free to remove Refols ransomware
If you’re having problems with the Refols ransomware removal, then download MalwareBytes Free. It is free for home use, and finds and deletes various undesired applications that attacks your system or degrades PC system performance. MalwareBytes Free can remove trojans, worms, ransomware as well as other malware, including worms and adware.
- Visit the following page to download MalwareBytes Anti Malware (MBAM). Save it on your Microsoft Windows desktop.
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- After downloading is finished, please close all apps and open windows on your system. Double-click on the icon that’s called mb3-setup.
- This will launch the “Setup wizard” of MalwareBytes Free onto your personal computer. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes will run and display the main window.
- Further, press the “Scan Now” button to perform a system scan with this utility for the Refols ransomware and other malware. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour.
- After the scan is finished, MalwareBytes Free will show a list of all threats found by the scan.
- In order to get rid of all threats, simply click the “Quarantine Selected” button. After disinfection is finished, you may be prompted to reboot the computer.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Remove .Refols ransomware with KVRT
KVRT is a free removal utility that can be downloaded and use to remove ransomware, adware, malware, potentially unwanted programs, trojans and other threats from your PC. You can use this utility to search for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your PC system by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the Kaspersky virus removal tool screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to detect .Refols ransomware and other malicious software. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the tool is scanning, you can see count of objects and files has already scanned.
When Kaspersky virus removal tool completes the scan, a list of all threats found is prepared as shown below.
Review the scan results and then click on Continue to start a cleaning procedure.
How to decrypt .refols files
The .Refols ransomware virus uses a hybrid encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the .Refols ransomware virus entire amount requested – the only method to try to get the decryption key and decrypt all your files.
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .refols files quickly. There is no guarantee that the creators of .Refols ransomware virus will live up to the word and give back your files.
Use STOPDecrypter to decrypt .refols files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.refols).
Please check the twitter post for more info.
How to restore .refols files
In some cases, you can recover files encrypted by .Refols ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Restore .refols files with ShadowExplorer
An alternative is to restore .refols files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were damaged by .Refols ransomware. The steps below will give you all the details.
Download ShadowExplorer on your machine by clicking on the link below.
Category: Security tools
Update: September 15, 2019
Once the download is complete, extract the downloaded file to a directory on your machine. This will create the necessary files as displayed on the screen below.
Start the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you wish to recover files (folders) from as displayed below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as displayed on the screen below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Run PhotoRec to recover .refols files
Before a file is encrypted, the .Refols ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your files using file restore programs like PhotoRec.
Download PhotoRec from the link below. Save it on your Windows desktop or in any other place.
Category: Security tools
Update: March 1, 2018
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed in the following example.
Select a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored files should be written, then click Search.
Count of recovered files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as on the image below.
All recovered documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from .Refols ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .Refols ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from Microsoft Windows XP to Windows 10.
Please go to the link below to download HitmanPro.Alert. Save it on your Desktop.
Category: Security tools
Update: March 6, 2019
When downloading is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is launched, you’ll be shown a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
Now your computer should be free of the .Refols ransomware. Uninstall MalwareBytes and Kaspersky virus removal tool. We suggest that you keep Zemana Free (to periodically scan your system for new malware). Moreover, to prevent ransomware virus, please stay clear of unknown and third party apps, make sure that your antivirus program, turn on the option to block or locate ransomware.
If you need more help with .Refols ransomware virus related issues, go to here.