What is a Pedro file? A file with the .pedro extension is a file that has been locked by Pedro ransomware. The security threat is also known as ‘file virus’ that use strong encryption in order to encrypt users’ files.
Pedro file virus locks up almost of files, including common as:
.itm, .hkx, .dmp, .rw2, .doc, .zdc, .r3d, .w3x, .pfx, .asset, .dng, .rgss3a, .1st, .pptx, .rb, .m2, .hvpl, .apk, .dcr, .wcf, .bar, .docx, .bc6, .vdf, .odt, .xbplate, .fos, .wpa, .mpqge, .ztmp, .p7b, .7z, .gho, .snx, .wav, .webp, .rim, .wp7, .pkpass, .xyw, .hplg, .p12, .das, .sb, .xml, .jpeg, .arw, .raf, .dbf, .accdb, .sr2, .map, .wpl, .png, .iwd, .tor, .ysp, .zw, .sav, .xlsm, .pdf, .srf, .odm, .3ds, .y, .bkf, .wri, .mdbackup, .wpg, .wbm, .odc, .wb2, .layout, .menu, .zdb, .wbz, .wp4, .dwg, .gdb, .vpp_pc, .js, .pak, .flv, .zif, .psk, .wire, .m4a, .wpb, .ntl, .wbmp, .ods, .wsh, .der, .mrwref, .xlsm, .mef, .mddata, .z, .ybk, .odp, .lvl, .wps, .ibank, .yal, .sis, .xxx, .x, .wgz, .icxs, .pdd, .blob, .wsc, .sid, .wps, .mov, .wpe, .wma, .syncdb, .vpk, .wn, .wpt, .rwl, .dxg, .forge, .xmind, .wmf, .yml, .wpw, .cdr, .sidn, .qic, .wm, .xdl, .ppt, .raw, .svg, .py, .xlgc, .3dm, .txt, .odb, .orf, .ltx, .cr2, .wbk, .ptx, .tax, .xls, .wbc, .pst, .x3f, .upk, .xwp, .xlsx, .ncf, .kf, .xll, .epk, .mcmeta, .itl, .bc7, .mp4, .wmo, .xlk, .fsh, .indd, .iwi, .srw, .jpe, .sql, .pptm, .vcf, .css, .pem, .zi, .p7c, .hkdb, .crw, .cer, .z3d, .xy3, .sie, .crt, .re4, .x3f, .xf, .wmv, .xmmap, .rar, .xx, .eps, .lrf, .vtf, .wdb, .litemod, .mdb, .t13, wallet, .ws, .2bp, .xdb, .wot, .wsd, .xlsx, .zip, .esm, .qdf, .bik, .zip, .kdc, .wp6, .3fr, .wmd, .wpd, .lbf, .cfr, .wotreplay, .t12, .1, .jpg, .fpk, .big, .wp5, .xpm, .dazip, .avi, .zabw, .xld
Upon encryption, all affected files will then be appended with the .pedro extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.pedro’). It’s not possible to open the files by simply changing the file extension. The photos, documents and music will be decrypted only if users pay for the private key that will decrypt these files. Ransomware leaves a ransomnote named ‘_readme.txt’ with instructions for extortion and ransom paymen.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-cHB0JgQAXy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch Reserve e-mail address to contact us: gorentos2@firemail.cc Your personal ID:
Threat Summary
Name | Pedro |
Type | Crypto virus, File locker, Crypto malware, Ransomware, Filecoder |
Encrypted files extension | .pedro |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch, gorentos2@firemail.cc |
Ransom amount | $980 in Bitcoins |
Symptoms | Encrypted files. Your photos, documents and music have new extension appended at the end of the file name. Files named such as ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. |
Distribution methods | Unsolicited emails that are used to deliver malicious software. Malicious downloads that happen without a user’s knowledge when they visit a compromised website. Social media, such as web-based instant messaging programs. USB key and other removable media. |
Removal | To remove Pedro ransomware use the removal guide |
Decryption | To decrypt Pedro ransomware use the steps |
Quick links
How to remove Pedro file virus
In most cases it is not possible to delete the Pedro ransomware manually. For that reason, our team made several removal ways which we’ve summarized in a detailed instructions below. Therefore, if you have the Pedro crypto virus on your computer and are currently trying to have it removed then feel free to follow the instructions below in order to resolve your problem. Read this manual carefully, bookmark or print it, because you may need to exit your browser or restart your personal computer.
Run Zemana Anti-Malware to remove Pedro
Zemana can find all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Pedro crypto malware, you can easily and quickly uninstall it.
Download Zemana from the following link. Save it on your Microsoft Windows desktop or in any other place.
164114 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is complete, run it and follow the prompts. Once installed, the Zemana Anti-Malware will try to update itself and when this task is complete, click the “Scan” button to perform a system scan with this utility for the Pedro ransomware virus related folders,files and registry keys.
This task may take quite a while, so please be patient. While the Zemana Anti Malware program is checking, you can see how many objects it has identified as threat. Review the scan results and then press “Next” button.
The Zemana Anti-Malware (ZAM) will uninstall Pedro crypto virus, other malware, worms and trojans.
Delete Pedro with MalwareBytes
We suggest using the MalwareBytes Anti-Malware (MBAM) that are fully clean your computer of the crypto virus. This free tool is an advanced malicious software removal program designed by (c) Malwarebytes lab. This application uses the world’s most popular anti malware technology. It’s able to help you uninstall crypto virus, PUPs, malware, adware, toolbars, and other security threats from your machine for free.
- MalwareBytes Free can be downloaded from the following link. Save it directly to your Microsoft Windows Desktop.
Malwarebytes Anti-malware
326466 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- When the download is finished, please close all software and open windows on your system. Double-click on the icon that’s called mb3-setup.
- This will start the “Setup wizard” of MalwareBytes onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti-Malware will start and open the main window.
- Further, press the “Scan Now” button . MalwareBytes program will scan through the whole machine for the Pedro ransomware related folders,files and registry keys. This procedure can take quite a while, so please be patient. During the scan MalwareBytes Anti Malware will find threats present on your system.
- When MalwareBytes Anti-Malware (MBAM) is finished scanning your system, the results are displayed in the scan report.
- Review the report and then press the “Quarantine Selected” button. After finished, you may be prompted to restart the PC system.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
If the problem with Pedro ransomware virus is still remained
The KVRT utility is free and easy to use. It can scan and delete ransomware virus such as Pedro, malicious software, potentially unwanted applications and adware in Google Chrome, Firefox, Internet Explorer and Microsoft Edge web-browsers and thereby return their default settings (start page, newtab and search provider by default). KVRT is powerful enough to find and uninstall malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the KVRT icon. Once initialization procedure is finished, you will see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to start scanning your system for the Pedro crypto malware . Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. When a malware, adware or PUPs are found, the number of the security threats will change accordingly. Wait until the the checking is finished.
After KVRT completes the scan, KVRT will display a list of all items found by the scan as displayed in the following example.
You may delete threats (move to Quarantine) by simply press on Continue to start a cleaning task.
How to decrypt .pedro files
With some variants of Pedro file virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Pedro decryption tool named STOPDecrypter. It can decrypt .Pedro files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
STOPDecrypter is a program that can be used for Pedro files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Pedro files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Pedro files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .pedro files
In some cases, you can restore files encrypted by Pedro crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use ShadowExplorer to recover .pedro files
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can help you to recover .pedro files encrypted by the Pedro ransomware virus. The way described below is only to restore encrypted documents, photos and music to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Download ShadowExplorer by clicking on the following link. Save it to your Desktop.
438828 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is finished, extract the downloaded file to a folder on your computer. This will create the necessary files as displayed below.
Start the ShadowExplorerPortable application. Now select the date (2) that you wish to restore from and the drive (1) you wish to recover files (folders) from as displayed in the following example.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button similar to the one below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to restore .pedro files
Before a file is encrypted, the Pedro crypto malware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file recover apps like PhotoRec.
Download PhotoRec by clicking on the following link. Save it to your Desktop so that you can access the file easily.
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as on the image below.
Select a drive to recover as displayed on the image below.
You will see a list of available partitions. Select a partition that holds encrypted personal files like below.
Click File Formats button and select file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where restored documents, photos and music should be written, then press Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as on the image below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from Pedro ransomware virus?
Most antivirus apps already have built-in protection system against the crypto virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from Pedro crypto virus
All-in-all, HitmanPro.Alert is a fantastic utility to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from Microsoft Windows XP to Windows 10.
Click the link below to download HitmanPro.Alert. Save it to your Desktop.
When the download is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is launched, you’ll be shown a window where you can choose a level of protection, as shown in the figure below.
Now click the Install button to activate the protection.
Finish words
Now your personal computer should be clean of the Pedro crypto malware. Delete Kaspersky virus removal tool and MalwareBytes AntiMalware. We suggest that you keep Zemana Free (to periodically scan your computer for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove Pedro crypto virus from your PC system, then ask for help here.