Cyber threat analysts discovered a new variant of ransomware, which called Pulsar1 Ransomware virus. It appends the .pulsar1 file extension to encrypted file names. This article will provide you a brief summary of information related to this new virus and how to recover all encrypted photos, documents and music for free.
Files encrypted by ‘Pulsar1 ransomware’
Immediately after the launch, the .Pulsar1 Ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.ztmp, .fsh, .wsh, .x3f, .xdb, .iwi, .wpw, .zw, .3ds, .wbc, .mdb, .wav, .wn, .ysp, .wbm, .xy3, .zdc, .xyp, .xml, .wp4, .1, .srw, .xmind, .xar, .rtf, .t13, .dba, .ws, .rw2, .rwl, .avi, .rim, .jpeg, .apk, .jpe, .mdf, .wpt, .psd, .rar, .dbf, .bsa, .wbd, .zdb, .zi, .sum, .odm, .sie, .asset, .eps, .zabw, .wsd, .orf, .cer, .kdb, .webp, .wsc, .r3d, .qdf, .esm, .tax, .sql, .pptx, .wmo, .svg, .lrf, .pptm, .xmmap, .mcmeta, .ltx, .xlsx, .blob, .csv, .x3d, .xdl, .wp, .iwd, .ff, .forge, .xlsm, .dxg, .mrwref, .sid, .xx, .upk, .bc7, .wbk, .pef, .xld, .m2, .sidn, .p12, .bkf, .layout, .mov, .ncf, .odp, wallet, .vpk, .itdb, .wm, .hkx, .nrw, .icxs, .zif, .doc, .db0, .wmv, .0, .wpb, .wbmp, .pdd, .ppt, .wri, .wgz, .hkdb, .pak, .wma, .docx, .dng, .vdf, .xlsx, .wpd, .bay, .indd, .bkp, .syncdb, .mdbackup, .erf, .das, .wot, .ai, .ods, .ntl, .xbdoc, .xwp, .1st, .xls, .pkpass, .odt, .css, .xlk, .vcf, .jpg, .xpm, .ibank, .wpa, .wma, .slm, .yml, .wpl, .wmd, .itl, .srf, .w3x, .map, .wp6, .fos, .gdb, .sb, .hvpl, .wpg, .dmp, .sis, .p7c, .sidd, .xls, .2bp, .ptx, .z3d, .tor, .dazip, .wmf, .pst, .menu, .big, .zip, .webdoc, .xlsm, .wmv, .crt, .rb, .cas, .py, .pem, .odb, .wdb, .wps, .vtf, .bik, .cdr, .litemod, .mddata, .zip, .wp5, .ybk, .d3dbsp, .xxx, .mlx, .xf, .3fr, .dwg, .wire, .bc6, .wb2, .wpe, .pdf, .wotreplay, .lvl, .y, .hplg, .docm, .accdb, .m3u, .yal, .wcf, .odc, .x
When the virus encrypts a file, it will add the .pulsar1 extension to every encrypted file. Once the virus finished enciphering of all photos, documents and music, it will create a file named “_readme.txt” with ransom demanding message on how to decrypt all personal files. You can see an one of the variants of the ransom note below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: blower@india.com Reserve e-mail address to contact us: blower@firemail.cc Your personal ID
Therefore it’s very important to follow the steps below sooner. The instructions will assist you to remove Pulsar1 ransomware. What is more, the step-by-step tutorial below will allow you recover encrypted personal files for free.
Table of contents
- How to remove .Pulsar1 ransomware
- How to decrypt .pulsar1 files
- Use STOPDecrypter to decrypt .pulsar1 files
- How to restore .pulsar1 files
- How to protect your PC from .Pulsar1 ransomware?
- To sum up
How to remove .Pulsar1 ransomware
The .Pulsar1 ransomware can hide its components which are difficult for you to find out and delete completely. This can lead to the fact that after some time, the virus again infect your machine and encrypt your files. Moreover, I want to note that it’s not always safe to remove ransomware virus manually, if you do not have much experience in setting up and configuring the Microsoft Windows operating system. The best way to search for and remove .Pulsar1 Ransomware virus is to run free malware removal applications that are listed below.
How to automatically remove .Pulsar1 Ransomware with Zemana Anti-malware
We advise using the Zemana Anti-malware which are completely clean your machine of ransomware. The utility is an advanced malware removal application created by (c) Zemana lab. It is able to help you remove potentially unwanted software, viruss, adware, malware, toolbars, ransomware and other security threats from your personal computer for free.
Please go to the following link to download Zemana AntiMalware (ZAM). Save it to your Desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is complete, start it and follow the prompts. Once installed, the Zemana Anti-Malware will try to update itself and when this procedure is finished, click the “Scan” button to begin checking your personal computer for the .Pulsar1 ransomware virus and other malware and PUPs.
This process can take some time, so please be patient. While the Zemana Anti-Malware is scanning, you may see number of objects it has identified either as being malicious software. All found threats will be marked. You can remove them all by simply click “Next” button.
The Zemana Free will delete .Pulsar1 ransomware virus and other malicious software and PUPs and move items to the program’s quarantine.
How to automatically remove Pulsar1 Ransomware with MalwareBytes
If you are having issues with the .Pulsar1 ransomware removal, then download MalwareBytes Free. It’s free for home use, and finds and deletes various unwanted software that attacks your PC or degrades computer performance. MalwareBytes Anti-Malware (MBAM) can remove adware software, potentially unwanted software as well as malicious software, including ransomware and trojans.
- Click the link below to download MalwareBytes AntiMalware. Save it on your Desktop.
Malwarebytes Anti-malware
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web-browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- Once the download is done, please close all software and open windows on your system. Double-click on the icon that’s named mb3-setup.
- This will run the “Setup wizard” of MalwareBytes onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Free will start and open the main window.
- Further, click the “Scan Now” button to perform a system scan with this utility for the Pulsar1 ransomware virus and other malicious software and potentially unwanted apps. Depending on your PC, the scan may take anywhere from a few minutes to close to an hour. When a threat is detected, the count of the security threats will change accordingly. Wait until the the scanning is finished.
- When the scan is complete, the results are displayed in the scan report.
- Make sure all threats have ‘checkmark’ and click the “Quarantine Selected” button. After disinfection is finished, you may be prompted to reboot the PC system.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Run KVRT to delete .Pulsar1 Ransomware virus from the personal computer
If MalwareBytes anti-malware or Zemana anti-malware cannot get rid of this virus, then we suggests to run the KVRT. KVRT is a free removal utility for viruss, adware software, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) from the link below.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the KVRT screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan for the .Pulsar1 Ransomware virus . A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your personal computer. When a malicious software, adware or PUPs are found, the count of the security threats will change accordingly.
After KVRT completes the scan, a list of all items found is prepared as shown in the following example.
All detected items will be marked. You can remove them all by simply click on Continue to start a cleaning process.
How to decrypt .pulsar1 files
The .Pulsar1 Ransomware virus offers victim to contact it’s authors in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .pulsar1 photos, documents and music quickly. There is no guarantee that the creators of .Pulsar1 ransomware virus will live up to the word and give back your documents, photos and music.
Files encrypted by ‘.Pulsar1 ransomware’
With some variants of Klope Ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .pulsar1 files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter by Demonslay335
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.pulsar1).
Please check the twitter post for more info.
How to restore .pulsar1 files
In some cases, you can recover files encrypted by .Pulsar1 ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted personal files.
Use shadow copies to restore .pulsar1 files
A free utility called ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore .pulsar1 personal files encrypted by the .Pulsar1 Ransomware virus from Shadow Copies for free.
Click the following link to download ShadowExplorer. Save it on your MS Windows desktop.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed below.
Launch the ShadowExplorer utility and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the .Pulsar1 ransomware as displayed in the figure below.
Now navigate to the file or folder that you wish to recover. When ready right-click on it and click ‘Export’ button as shown in the following example.
Run PhotoRec to restore .pulsar1 files
Before a file is encrypted, the .Pulsar1 ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file restore apps such as PhotoRec.
Download PhotoRec on your Windows Desktop by clicking on the following link.
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll open a screen as shown on the image below.
Choose a drive to recover as shown on the screen below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as shown below.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored documents, photos and music should be written, then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as shown on the screen below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from .Pulsar1 ransomware?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Run HitmanPro.Alert to protect your machine from .Pulsar1 ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it on your Microsoft Windows desktop or in any other place.
Once the download is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be shown a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
To sum up
Now your system should be free of the .Pulsar1 ransomware. Remove Kaspersky virus removal tool and MalwareBytes Free. We suggest that you keep Zemana Free (to periodically scan your machine for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove .Pulsar1 Ransomware virus from your system, then ask for help here.
