.[embulance@cock.li].pdf file extension is a file extension that is associated with the new malware from Dharma ransomware family. Variant ‘embulance@cock.li’ shares the characteristics of previous versions of this ransomware. It encrypts files and then renames them. Encrypted files will have a new filename consisting of their old filename and the .[embulance@cock.li].pdf extension added to the right. The authors of the virus require a ransom in exchange for a pair – a key and a decryptor, which are necessary for decrypting the files.
The [embulance@cock.li].pdf virus is a malware program created by criminals to encrypt files on a victim’s computer. A strong cryptographic algorithm and a long key are used to encrypt files. This eliminates the possibility of decrypting files without a key and decryptor, which are in the hands of attackers. Encrypted files are useless, their contents cannot be read or used in any way.
The [embulance@cock.li].pdf was created to infect computers running Windows OS. Most often, victims infect their computer by downloading and installing the virus that is disguised as free software, cracks, key generators, torrents files and so on. Upon execution, the downloaded file installs a ransomware instance on the victim’s computer.
All files on the victim’s computer are the target of [embulance@cock.li].pdf virus. Even data that is on USB drive or cloud storage can be encrypted. The virus skips and does not encrypt important system files. All other files can be encrypted, regardless of what is in the files. For example, files of the following types can be encrypted:
.bkf, .sav, .pef, .blob, .zip, .cer, .sidn, .rb, .webdoc, .nrw, .dwg, .cfr, .mdb, .wsc, .jpeg, .hkdb, .rim, .zi, .wotreplay, .pst, .bsa, .mdbackup, .t13, .wp, .xlsm, .zip, .upk, .wpg, .3ds, .svg, .x3f, .xls, .wot, .wp7, .db0, .dxg, .lvl, .lbf, .wdb, .xbplate, .icxs, .bar, .xdl, .ws, .hplg, .wpt, .ybk, .sidd, .xyp, .m2, .p7c, .flv, .iwi, .x3f, .wmv, .z3d, .docx, .qic, .dng, .cdr, .esm, .kdb, .w3x, .odp, .das, .slm, .pptm, .ods, .wb2, .xlk, .lrf, .m4a, .mcmeta, .mp4, .xlgc, .wp4, .wav, .cas, .itl, .dazip, .pptx, .wma, .epk, .mlx, .ff, .csv, .wpd, .wm, .pdf, .snx, .y, .xml, .sql, .tax, .fsh, .jpe, .ltx, .ptx, .zw, .zif, .cr2, .wp6, .xf, .dbf, .xlsx, .raf, .kdc, .litemod, .wire, .0, .sid, .rtf, .wpd, .odc, .wpw, .xmind, .srw, .xy3, .desc, .xpm, .ncf, .wdp, .m3u, .png, .vtf, .2bp, .bc7, .qdf, .pak, .txt, .eps, .wpa, .orf, .mddata, .layout, .wbm, .zabw, .arw, .vcf, .rgss3a, .odm, .wmf, .xlsm, .mdf, .asset, .tor, .3dm, .odb, .xar, .pkpass, .p12, .x, .raw, .srf, .xwp, .r3d, .7z, .vfs0, .big, .fpk, .wps, .wsh, .yml, .itm, .py, .pdd, .mov, .xld, .bkp, .webp, .wbk, .wpe, .jpg, .xls, .erf, .wps, .arch00, .xyw, .itdb, .zdc, .xxx, .wgz, .wmo, .css, .ztmp, .crt, .fos, .wri, .1, .xx, .avi, .pfx, .vpk, .dba, .bay, .sis, .js, wallet, .wpl, .kf, .gho, .mrwref, .sb, .zdb, .ai, .menu, .wmv, .docm, .doc, .wpb, .wbd, .vpp_pc, .map, .ppt, .xmmap, .accdb, .t12, .wcf, .iwd, .sum, .wbz, .wn, .wmd, .hvpl, .der, .psd, .indd, .psk, .x3d, .forge, .rofl, .wp5, .mef, .xdb, .gdb, .odt, .bc6, .d3dbsp, .xll, .xbdoc, .yal, .vdf, .sie, .xlsx, .pem, .wma, .mpqge, .xlsb, .dcr, .bik, .sr2, .dmp, .rw2, .ysp, .rar, .1st, .syncdb, .crw, .rwl, .p7b, .wbc, .z, .apk, .hkx, .wsd, .ntl, .wbmp, .3fr, .ibank
The [embulance@cock.li].pdf virus quickly encrypts files on the infected computer, and does this file by file in each directory that it finds on the drives connected to the computer. Encrypted files are easily visible, they have a new .[embulance@cock.li].pdf extension and a blank icon. If the user tries to open such files, the Windows OS will report that it does not know how to do this and cannot find a program that can read files of this type. In addition to encrypted files, in each directory the victim will find another file. This file is named ‘RETURN FILES.txt’ and it contains a message from the authors of [embulance@cock.li].pdf virus.
All your data is encrypted! for return write to mail: embulance@cock.li or embulance@mail.fr
Threat Summary
Name | [embulance@cock.li].pdf |
Type | File locker, Filecoder, Crypto malware, Crypto virus, Ransomware |
Encrypted files extension | .[embulance@cock.li].pdf |
Ransom note | RETURN FILES.txt |
Contact | embulance@cock.li, embulance@mail.fr |
Ransom amount | $300-$1000 in Bitcoins |
Symptoms | Encrypted photos, documents and music. Your personal files now have a new extension. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom demanding message on your desktop. |
Distribution methods | Spam or phishing emails that are designed to get people to open an attachment or click on a link. Drive-by downloads (crypto virus is able to infect the personal computer simply by visiting a web-page that is running malicious code). Social media, such as web-based instant messaging programs. Torrent web sites. |
Removal | To remove [embulance@cock.li].pdf ransomware use the removal guide |
Recover encrypted files | To restore [embulance@cock.li].pdf files use the steps |
How to remove [embulance@cock.li].pdf virus and Recover enrypted files
If you find files with .[embulance@cock.li].pdf extension on your computer, then the computer is the victim of ransomware attack. To unlock the contents of encrypted files, you need to take several steps. First you need to make sure that the computer does not contain malicious software, and only after that proceed to restore the encrypted files to their original state using several methods. These methods do not require a key and decryptor. In order not to miss any part of the instructions, we recommend that you print it or open it on your smartphone.
- How to remove [embulance@cock.li].pdf crypto virus
- How to decrypt .[embulance@cock.li].pdf files
- How to restore .[embulance@cock.li].pdf files
- How to protect your computer from [embulance@cock.li].pdf crypto malware
- Finish words
How to remove [embulance@cock.li].pdf crypto virus
The first thing we advise every victim of [embulance@cock.li].pdf virus is to check the computer for ransomware and other malware. This step is better not to skip. The reason is simple, if you do not remove ransomware virus, then after the files are decrypted, it will encrypt them again. Moreover, do not forget that active malware is a breach in protecting your computer, criminals can access the entire computer, control your computer, or use your computer to hack into other computers.
We recommend using free malware removal tools to detect and remove [embulance@cock.li].pdf ransomware. Moreover, it is advisable to check the computer not with one tool but with two or more. So you can be sure that the virus is completely removed.
How to remove [embulance@cock.li].pdf with Zemana
Zemana Free is a malware scanner that is very useful for detecting and removing [embulance@cock.li].pdf ransomware virus. The steps below will explain how to download, install, and use Zemana Anti-Malware to scan your PC system and remove ransomware, trojans, adware, spyware, worms, malicious software for free.
- Installing the Zemana Anti-Malware is simple. First you’ll need to download Zemana AntiMalware from the following link.
Zemana AntiMalware
164111 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Once you have downloaded the install file, make sure to double click on the Zemana.AntiMalware.Setup. This would start the Zemana Free setup on your computer.
- Select setup language and click ‘OK’ button.
- On the next screen ‘Setup Wizard’ simply click the ‘Next’ button and follow the prompts.
- Finally, once the installation is complete, Zemana Anti-Malware (ZAM) will run automatically. Else, if doesn’t then double-click on the Zemana Free icon on your desktop.
- Now that you have successfully install Zemana, let’s see How to use Zemana AntiMalware (ZAM) to delete [embulance@cock.li].pdf virus from your computer.
- After you have launched the Zemana, you’ll see a window as on the image below, just press ‘Scan’ button for scanning your system for the ransomware virus.
- Now pay attention to the screen while Zemana AntiMalware (ZAM) scans your computer.
- After finished, you’ll be shown the list of all found threats on your computer. All found threats will be marked. You can delete them all by simply press ‘Next’ button.
- Zemana may require a restart PC in order to complete the [embulance@cock.li].pdf ransomware removal process.
- If you want to permanently remove ransomware from your system, then click ‘Quarantine’ icon, select all malicious software, adware, potentially unwanted apps and other threats and click Delete.
- Reboot your PC to complete the crypto virus removal procedure.
Use MalwareBytes to remove [embulance@cock.li].pdf ransomware
We advise using the MalwareBytes Free. You can download and install MalwareBytes Anti Malware (MBAM) to look for and delete [embulance@cock.li].pdf from the system. When installed and updated, this free malicious software remover automatically identifies and removes all threats exist on the machine.
- Visit the following page to download MalwareBytes Anti-Malware. Save it on your MS Windows desktop or in any other place.
Malwarebytes Anti-malware
326461 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- Once the downloading process is finished, please close all applications and open windows on your machine. Double-click on the icon that’s named mb3-setup.
- This will launch the “Setup wizard” of MalwareBytes Anti Malware onto your machine. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti-Malware will open and display the main window.
- Further, click the “Scan Now” button to search for [embulance@cock.li].pdf ransomware, other kinds of potential threats like malware and trojans. This procedure can take some time, so please be patient. When a malicious software, adware software or PUPs are detected, the number of the security threats will change accordingly.
- When the scan get completed, MalwareBytes will display a scan report.
- Once you’ve selected what you wish to remove from your PC press the “Quarantine Selected” button. When that process is complete, you may be prompted to reboot the system.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Remove [embulance@cock.li].pdf ransomware with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is free and easy to use. It can scan and remove ransomware, PUPs, adware, trojans, worms, spyware and other malware. KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the machine.
Download Kaspersky virus removal tool (KVRT) from the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the download is complete, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen as displayed on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool program will scan through the whole machine for the [embulance@cock.li].pdf ransomware and other trojans and harmful programs. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the KVRT is scanning, you may see count of objects it has identified either as being malware.
After KVRT has completed scanning your machine, a list of all items detected is created as on the image below.
In order to remove all items, simply click on Continue to start a cleaning procedure.
How to decrypt .[embulance@cock.li].pdf files
To date, there is no other way to decrypt the affected files, but only to pay the money to cyber frauds. Developers of free decryption utilities that can unlock the encrypted files are working on creating them, but the result is not yet, and it is not known when it will be.
Never pay the ransom! However, it should be noted that the transferred amount of money to cybercriminals is not yet a guarantee that the user will receive a private key to decrypt the locked personal files. Very often, after receiving the ransom payment, online criminals impose new requirements for the transfer of an even larger amount of money. It is impossible to predict unambiguously what will be the actions of online criminals who created the [embulance@cock.li].pdf crypto malware, but it is safe to say that these actions are immoral and illegal.
The [embulance@cock.li].pdf virus is not the only one of its kind, for some of them, there are already ways to decrypt locked files. This gives hope that a decryption tool can be developed for this crypto virus as well.
How to restore .[embulance@cock.li].pdf files
Fortunately, there is little opportunity to restore photos, documents and music that have been encrypted by the [embulance@cock.li].pdf virus. Data recover tools can help you! Many victims of various ransomware, using the steps described below, were able to recover their files. In our guide, we suggest using only free and tested utilities called PhotoRec and ShadowExplorer. The only thing we still want to tell you before you try to restore the encrypted files is to scan your personal computer for active malicious software. In our post we gave examples of which malicious software removal utilities can find and uninstall the [embulance@cock.li].pdf crypto virus.
Restore .[embulance@cock.li].pdf files using Shadow Explorer
An alternative is to recover your photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were locked by [embulance@cock.li].pdf ransomware. The instructions below will give you all the details.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your Windows Desktop from the following link.
438818 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed on the screen below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point similar to the one below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as on the image below.
Use PhotoRec to restore .[embulance@cock.li].pdf files
Before a file is encrypted, the [embulance@cock.li].pdf crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file recover programs like PhotoRec.
Download PhotoRec on your computer by clicking on the following link.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder such as the one below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll show a screen as on the image below.
Choose a drive to recover like below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed in the figure below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where recovered personal files should be written, then press Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as shown in the figure below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from [embulance@cock.li].pdf crypto malware?
Most antivirus programs already have built-in protection system against the crypto malware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Click the following link to download the latest version of HitmanPro.Alert for Windows. Save it to your Desktop so that you can access the file easily.
When downloading is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is opened, you will be displayed a window where you can select a level of protection, as shown in the following example.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of [embulance@cock.li].pdf virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt or recover the encrypted files. We hope that the information presented in this manual has helped you. If you have questions, then write to us, leaving a comment below. If you need more help with [embulance@cock.li].pdf related issues, go to here.