A new variant of ransomware virus has been discovered by cyber security specialists. It appends the .pptx extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails and malware files.
.pptx file extension ransomware – ransom note
The so-called .pptx ransomware is a malware that designed to encrypt the documents, photos and music found on infected PC system using a hybrid encryption mode, appending the .pptx extension to all encrypted documents, photos and music. It can encrypt almost types of files, including the following:
.accdb, .wire, .ibank, .odc, .xyw, .vfs0, .3ds, .xlsx, .wpt, .wpa, .sb, .wp5, .apk, .wsh, .itm, .forge, .wpb, .bkf, .mlx, .cer, .xpm, .vcf, .icxs, .der, .bc6, .zif, .wotreplay, .bik, .rgss3a, .epk, .wpd, .wsc, .x3d, .3dm, .mef, .xdb, .wbm, .eps, .p12, .fsh, .dwg, .wbd, .pdd, .m2, .wps, .p7c, .0, .docm, .zip, .rim, .xbplate, wallet, .wcf, .mp4, .itdb, .wpd, .sidd, .ptx, .arch00, .xxx, .raf, .xlk, .slm, .ai, .kdb, .map, .odt, .wpe, .wp, .wb2, .vtf, .bsa, .zi, .hvpl, .ws, .webp, .1st, .ybk, .webdoc, .snx, .pptx, .bkp, .zip, .mddata, .svg, .wri, .wp7, .raw, .x3f, .bay, .upk, .xx, .wps, .wbmp, .zw, .wav, .mpqge, .layout, .xlsm, .xml, .srf, .xf, .wmo, .pfx, .nrw, .vdf, .xlgc, .vpk, .p7b, .tor, .arw, .wmd, .ppt, .xlsm, .menu, .w3x, .srw, .bar, .txt, .wp6, .dcr, .hplg, .odm, .zdb, .asset, .mdbackup, .desc, .js, .sie, .3fr, .xmind, .sis, .avi, .csv, .xls, .orf, .d3dbsp, .zdc, .mcmeta, .wn, .mov, .lvl, .cdr, .m3u, .ztmp, .sum, .psd, .db0, .yml, .jpe, .y, .mrwref, .dmp, .x, .iwd, .wbc, .xlsx, .litemod, .pak, .ods, .bc7, .pdf, .wpl, .dbf, .hkx, .xyp, .rtf, .kdc, .xlsb, .wpg, .wma, .gho, .pkpass, .wpw, .dng, .wgz, .rar, .py, .jpeg, .gdb, .zabw, .wot, .1, .vpp_pc, .dxg, .ntl, .t13, .wmv, .mdf, .ncf, .lbf, .pptm, .fos, .rb, .t12, .docx, .rwl, .rofl, .wm, .wdb, .z, .odp, .xar, .xls, .z3d, .fpk, .esm, .lrf, .jpg, .hkdb, .wbk, .7z, .ltx, .wdp, .pst, .qdf, .png
Once the encryption procedure is finished, it will create a ransom instructions named “READ_ME.txt” offering decrypt all users photos, documents and music if a payment is made. An example of the ransom demanding message is:
Your files are Encrypted!
For data recovery needs decryptor.
How to buy decryptor:1. Download “Tor Browser” from https://www.torproject.org/ and install it.
2. Open this link In the “Tor Browser”
http://huhighwfn4jihtlz.onion/sdlsgdewwbhr
Note! This link is available via “Tor Browser” only.
————————————————————
Free decryption as guarantee.
Before paying you can send us 2 file for free decryption.
————————————————————
You unique ID
Unfortunately, there is no solution for victim’s to decrypt photos, documents and music for free. In the guide below, I have outlined few methods that you can use to remove .pptx ransomware virus from your personal computer and restore .pptx files from a shadow volume copies or using file restore applications.
Table of contents
- How to decrypt .pptx files
- How to remove .pptx ransomware
- How to restore .pptx files
- How to protect your computer .pptx ransomware?
How to decrypt .pptx files
If your documents, photos and music have been encrypted by the .pptx ransomware virus, We suggests: do not to pay the ransom. If this malicious software make money for its creators, then your payment will only increase attacks against you.
“To buy the decryptor, you must pay the cost of: 0.137 Bitcoin ($ 777)”
Of course, decryption without the private key is not feasible, but that does not mean that the .pptx ransomware virus must seriously disrupt your live. The free utilities listed below can be used to look for and remove this ransomware and prevent any further damage. After that you can recover encrypted photos, documents and music from their Shadow Copies or using file restore utility.
How to remove .pptx ransomware
In order to delete .pptx ransomware virus from your computer, you need to stop all virus processes and delete its associated files including Windows registry entries. If any virus components are left on the computer, the ransomware can reinstall itself the next time the machine boots up. Usually ransomware viruses uses random name consist of characters and numbers that makes a manual removal process very difficult. We advise you to run a free virus removal tools which will help get rid of .pptx ransomware virus from your computer. Below you can found a few popular malware removers that detects various ransomware.
Use Zemana Anti-malware to remove ransomware virus
We recommend you to use the Zemana Anti-malware which are completely clean your PC system of this ransomware. Moreover, the tool will help you to remove PUPs, malware, toolbars and adware that your computer can be infected too.
Zemana can be downloaded from the following link. Save it on your Windows desktop or in any other place.
164030 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the download is complete, close all software and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s called Zemana.AntiMalware.Setup as displayed below.
When the install begins, you will see the “Setup wizard” that will allow you install Zemana Free on your personal computer.
Once installation is complete, you will see window as shown below.
Now click the “Scan” button for checking your PC system for the .pptx ransomware virus and other security threats. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your personal computer and the speed of your PC. While the Zemana Free program is scanning, you can see number of objects it has identified as threat.
When the system scan is done, you can check all threats detected on your system. Review the report and then press “Next” button.
The Zemana AntiMalware will get rid of .pptx ransomware virus and other kinds of potential threats such as malicious software and potentially unwanted apps and move threats to the program’s quarantine.
How to automatically get rid of .pptx ransomware with MalwareBytes Free
Manual .pptx ransomware removal requires some computer skills. Some files and registry entries that created by the ransomware can be not fully removed. We suggest that run the MalwareBytes that are fully free your PC system of ransomware. Moreover, this free program will allow you to remove malware, potentially unwanted applications, adware and toolbars that your machine may be infected too.
MalwareBytes Free can be downloaded from the following link. Save it on your Desktop.
326382 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is complete, close all windows on your computer. Further, open the file called mb3-setup. If the “User Account Control” prompt pops up as displayed in the following example, press the “Yes” button.
It will show the “Setup wizard” which will assist you install MalwareBytes AntiMalware on the system. Follow the prompts and do not make any changes to default settings.
Once install is complete successfully, press Finish button. Then MalwareBytes will automatically start and you can see its main window as displayed below.
Next, press the “Scan Now” button for scanning your PC system for the .pptx ransomware and other security threats.
When the system scan is done, MalwareBytes Anti-Malware will show a list of all threats found by the scan. All detected threats will be marked. You can remove them all by simply click “Quarantine Selected” button.
The MalwareBytes Anti-Malware (MBAM) will get rid of .pptx ransomware virus related files, folders and registry keys. When that process is complete, you may be prompted to reboot your system. We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware to remove hijackers, adware and other malware.
Scan your personal computer and remove .pptx ransomware virus with KVRT
The KVRT utility is free and easy to use. It can scan and delete ransomware virus such as .pptx ransomware, malware, PUPs and ad-supported software in Internet Explorer, Google Chrome, Firefox and Microsoft Edge internet browsers and thereby restore their default settings (newtab page, default search engine and homepage). KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) on your PC system from the following link.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is complete, double-click on the KVRT icon. Once initialization procedure is complete, you will see the Kaspersky virus removal tool screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan for the .pptx ransomware virus and other known infections. This task can take quite a while, so please be patient. While the Kaspersky virus removal tool utility is checking, you can see number of objects it has identified as being infected by malware.
Once Kaspersky virus removal tool has completed scanning your PC, the results are displayed in the scan report as displayed in the figure below.
You may delete threats (move to Quarantine) by simply press on Continue to start a cleaning procedure.
How to restore .pptx files
In some cases, you can restore files encrypted by .pptx ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Restore .pptx files using Shadow Explorer
The MS Windows has a feature named ‘Shadow Volume Copies’ that can allow you to recover .pptx files encrypted by the .pptx ransomware virus. The solution described below is only to recover encrypted photos, documents and music to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
ShadowExplorer can be downloaded from the following link. Save it on your Windows desktop.
438663 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the figure below.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the .pptx ransomware virus as on the image below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as shown in the figure below.
Run PhotoRec to restore .pptx files
Before a file is encrypted, the .pptx ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover programs such as PhotoRec.
Download PhotoRec from the following link. Save it on your Desktop.
When the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as shown in the following example.
Select a drive to recover as shown in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music like below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All recovered photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as displayed on the screen below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer .pptx ransomware?
Most antivirus applications already have built-in protection system against the virus. Therefore, if your PC system does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your computer from .pptx ransomware
Download CryptoPrevent by clicking on the following link.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is complete, you’ll be displayed a window where you can select a level of protection, as displayed on the screen below.
Now press the Apply button to activate the protection.
Finish words
Once you have done the step-by-step guidance outlined above, your machine should be clean from .pptx ransomware virus and other malware. Your PC will no longer encrypt your photos, documents and music. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.
