Tabufa ransomware is a malicious software that invisibly penetrates the computer and encrypts personal files which stored on PC disks. While encrypting, it renames all encrypted photos, documents and music so that they have the .tabufa file extension.
“.Tabufa Ransomware” – ransom note
Immediately after the launch, the .Tabufa Ransomware virus scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.epk, .xwp, .itl, .rim, .sb, .kdc, .bkf, .ai, .zdc, .srf, .xlgc, .vtf, .wpb, .xf, .sav, .1st, .mov, .ptx, .7z, .wp6, .wn, .wps, .esm, .forge, .dbf, .dba, .xlsx, .orf, .cr2, .zip, .odm, .mdbackup, .wbk, .syncdb, .asset, .pptm, .x3d, .iwi, .ybk, .x, .slm, .sum, .wp5, .odp, .x3f, .xlsx, .apk, .mcmeta, .re4, .jpe, .tor, .raf, .hvpl, .docx, .odt, .mpqge, .xlk, .m2, .xlsb, .rofl, .mef, .wpw, .y, .wsc, .xdl, .cer, .jpeg, .wbc, .wri, .hkx, .py, .sidn, .xxx, .fpk, .zi, .lvl, .lbf, .layout, .blob, .bkp, .wdp, .rw2, .indd, .dazip, .zif, .rwl, .desc, .xmind, .wpt, .litemod, .jpg, .wbm, .m3u, .xyp, .svg, .m4a, .itm, .wot, .zabw, .gdb, .wmv, .wps, .xls, .ltx, .odb, .db0, .wm, .lrf, .pdf, .wpd, .wav, .p7c, .raw, .t12, .wmo, .doc, .cas, .qic, .xbdoc, .arch00, .wmd, .itdb, .pptx, .sid, .wbmp, .kdb, .crw, .fsh, .wbz, .mdb, .mlx, .fos, .nrw, .wp, .zip, .xar, .xml, .csv, .mp4, .ff, .sr2, .xlsm, .dxg, .wmv, .p12, .rgss3a, .t13, .mrwref, .xpm, .xbplate, .png, .yml, .snx, .wsh, .mdf, .pdd, .wpe, .ppt, .zdb, .vcf, .xx, .wcf, .tax, .webp, .avi, .rtf, .xdb, .pef, .vfs0, .bc7, .rar, .pst, .js, .mddata, .1, .ysp, .bc6, .bar, .vdf, .big, .css, .bay, .wpl, .odc, .2bp, .sidd, .pem, .wotreplay, .dng, .cfr, .xy3, .hkdb, .eps, .x3f, .w3x, .wb2, .3dm, .wmf, .xlsm, .3fr, .wp7, .ncf, .crt, .wma, .qdf, .pkpass, .psd, .sie, .txt, .xls, .bsa, .ibank
When the ransomware virus encrypts a file, it will append the .tabufa extension to every encrypted file. Once the ransomware finished enciphering of all documents, photos and music, it will create a file named “how_to_back_files.html” with ransom demanding message on how to decrypt all personal files. You can see an one of the variants of the ransom note below:
All your data has been ciphered!
The only way of recovering your files is to buy a unique decryptor.
A decryptor is fully automatical, all your data will be recovered within a few hours after it’s installation.
For purchasing a decryptor contact us by email:
tabufa@protonmail.com
If you will get no answer within 24 hours contact us by our alternate emails:
tabufa@airmail.cc
We assure full recovery after the payment.
To verify the possibility of the recovery of your files we can decipher 1 file for free.
Attach 1 file to the letter (no more than 5Mb). Indicate your personal ID on the letter:
In reply we will send you an deciphered file and an instruction for purchasing an automatical decryptor for all your files. After the payment we will send you a decryptor and an instructions for protecting your computer from network vulnerabilities..
Attention!
Only tabufa@protonmail.com, tabufa@airmail.cc can decipher all your files.
Launching of antivirus programs will not help.
Changing ciphered files will result in a loose of data.
Attempts of deciphering by yourself will result in a loose of data.
Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
We suggest you to remove .Tabufa ransomware as quickly as possible, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the step-by-step tutorial below that will allow you to completely remove .Tabufa ransomware from your computer as well as recover encrypted documents, photos and music, using only few free utilities.
Table of contents
- How to remove .Tabufa ransomware
- How to decrypt .tabufa files
- How to restore .tabufa files
- How to protect your PC system from .Tabufa ransomware virus?
- To sum up
How to remove .Tabufa ransomware
Manual removal does not always allow to completely remove the .Tabufa ransomware, as it is not easy to identify and delete components of ransomware virus and all malicious files from hard disk. Therefore, it’s recommended that you run malicious software removal tool to completely remove .Tabufa ransomware virus off your personal computer. Several free malware removal tools are currently available that can be used against the ransomware. The optimum way would be to run Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Remove .Tabufa Ransomware with Zemana Anti-malware
Zemana Anti-malware is a utility which can remove ransomware viruses, adware, trojans, worms and other malware from your system easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of PC system resources.
Zemana Free can be downloaded from the following link. Save it on your Desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the downloading process is done, close all windows on your personal computer. Further, launch the install file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as displayed below, press the “Yes” button.
It will open the “Setup wizard” that will help you install Zemana Anti Malware on the PC system. Follow the prompts and do not make any changes to default settings.
Once setup is done successfully, Zemana AntiMalware (ZAM) will automatically start and you can see its main window like below.
Next, click the “Scan” button . Zemana Free utility will begin scanning the whole personal computer to find out .Tabufa ransomware and other kinds of potential threats. Depending on your PC, the scan may take anywhere from a few minutes to close to an hour.
Once Zemana Anti Malware (ZAM) completes the scan, Zemana will open a scan report. When you’re ready, press “Next” button.
The Zemana AntiMalware (ZAM) will remove .Tabufa ransomware and other malware and move threats to the program’s quarantine. After finished, you can be prompted to reboot your system.
Remove Tabufa ransomware with MalwareBytes Free
Manual Tabufa Ransomware virus removal requires some computer skills. Some files and registry entries that created by the ransomware virus can be not fully removed. We advise that use the MalwareBytes Anti-Malware (MBAM) that are completely free your PC of ransomware. Moreover, this free application will allow you to remove malware, potentially unwanted programs, adware software and toolbars that your personal computer can be infected too.
- Installing the MalwareBytes AntiMalware (MBAM) is simple. First you will need to download MalwareBytes AntiMalware (MBAM) on your personal computer by clicking on the link below.
Malwarebytes Anti-malware
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your browser will display the “Save as” prompt. Please save it onto your Windows desktop.
- When downloading is done, please close all programs and open windows on your machine. Double-click on the icon that’s called mb3-setup.
- This will open the “Setup wizard” of MalwareBytes AntiMalware onto your PC system. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes AntiMalware (MBAM) will run and show the main window.
- Further, click the “Scan Now” button to locate Tabufa ransomware virus and other security threats. This task can take quite a while, so please be patient. While the utility is scanning, you can see how many objects and files has already scanned.
- After MalwareBytes Anti Malware (MBAM) completes the scan, a list of all items detected is prepared.
- In order to remove all threats, simply click the “Quarantine Selected” button. After finished, you may be prompted to reboot the personal computer.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Remove .Tabufa ransomware virus from personal computer with KVRT
The KVRT utility is free and easy to use. It can scan and remove ransomware, malicious software, worms and trojans. KVRT is powerful enough to find and delete malicious registry entries and files that are hidden on the PC system.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it on your Desktop.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is complete, double-click on the KVRT icon. Once initialization procedure is done, you will see the KVRT screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to scan for .Tabufa ransomware and other malicious software. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the KVRT application is checking, you can see how many objects it has identified as threat.
As the scanning ends, you will be shown the list of all found items on your system as shown below.
Once you have selected what you want to remove from your system click on Continue to start a cleaning process.
How to decrypt .tabufa files
Tabufa ransomware uses a strong encryption algorithm with long key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a method because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the .Tabufa ransomware entire amount requested – the only way to try to get the decryption key and decrypt all your files.
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .tabufa files. There is no guarantee that the developers of .Tabufa ransomware virus will live up to the word and give back your photos, documents and music.
Especially since you have a chance to restore your personal files for free using free tools such as ShadowExplorer and PhotoRec.
How to restore .tabufa files
In some cases, you can recover files encrypted by .Tabufa ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use ShadowExplorer to recover .tabufa files
In order to restore .tabufa files encrypted by the .Tabufa ransomware from Shadow Volume Copies you can run a utility called ShadowExplorer. We recommend to use this way as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438669 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the figure below.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to recover the shadow copy of file(s) encrypted by the .Tabufa ransomware as shown on the screen below.
Now navigate to the file or folder that you want to restore. When ready right-click on it and click ‘Export’ button as shown below.
Run PhotoRec to restore .tabufa files
Before a file is encrypted, the .Tabufa ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your personal files using file restore applications like PhotoRec.
Download PhotoRec on your computer by clicking on the following link.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll open a screen as displayed on the image below.
Select a drive to recover as displayed below.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as displayed in the figure below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, press Browse button to choose where restored personal files should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as shown below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC system from .Tabufa ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC from .Tabufa ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from Microsoft Windows XP to Windows 10.
Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro.Alert from the following link. Save it to your Desktop so that you can access the file easily.
After the downloading process is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is launched, you’ll be shown a window where you can select a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
To sum up
Once you’ve done the steps shown above, your personal computer should be free from .Tabufa ransomware virus and other malicious software. Your computer will no longer encrypt your documents, photos and music. Unfortunately, if the steps does not help you, then you have caught a new ransomware, and then the best way – ask for help here.
