Cyber threat analysts discovered a new variant of ransomware which named ‘Bufas ransomware‘. It appends the .bufas file extension to encrypted file names. Read below a brief summary of information related to this ransomware and how to restore or decrypt .bufas files for free.
Files encrypted by “.bufas ransomware”
The .Bufas ransomware is a malicious software, that made to encrypt the documents, photos and music found on infected system using a strong encryption method, adding the .bufas extension to all encrypted photos, documents and music. It can encrypt almost types of files, including the following:
.xmmap, .pst, .m3u, .wbc, .pfx, .mdbackup, .vtf, .wbm, .vfs0, .sb, .flv, .rgss3a, .wot, .wav, .jpe, .syncdb, .p12, .zdb, .pef, .mddata, .xlsm, .wpg, .svg, .mov, .bc7, .sr2, .rwl, .wp6, .m4a, .slm, .wn, .jpg, .r3d, .odt, .apk, .xls, .zw, .dba, .wsd, .odp, .pkpass, .dbf, .wbd, .epk, .webdoc, .cfr, .das, .sidn, .rw2, .crt, .raf, .wdb, .arw, .x3d, .ptx, .rofl, .wmo, .hkdb, .hvpl, .wmv, .odb, .snx, .css, .docx, .pptx, .xlsb, .xlk, .mp4, .txt, .webp, .ppt, .xxx, .wmv, .wdp, .bc6, .pdd, .3ds, .zi, .cdr, .mcmeta, .rb, .mdb, .gdb, .zif, .doc, .wm, .xlsx, .xyp, .srf, .lbf, .ai, .gho, .db0, .ltx, .p7b, .fpk, .cas, .y, .sidd, .nrw, .tor, .zip, .csv, .itl, .pptm, .xmind, .wpl, .map, .vpp_pc, .py, .2bp, .zip, wallet, .dng, .wri, .sid, .mdf, .raw, .wpd, .yal, .asset, .rar, .wps, .dazip, .xf, .mlx, .ibank, .1, .kdb, .xls, .kdc, .avi, .wire, .wpe, .sql, .wotreplay, .x, .wbz, .mpqge, .bkp, .eps, .indd, .ff, .ztmp, .iwi, .erf, .fsh, .png, .wsc, .sis, .mrwref, .xpm, .srw, .js, .xbdoc, .re4, .accdb, .bsa, .sie, .rtf, .wp4, .dcr, .t12, .big, .orf, .cer, .ncf, .xdl, .wp, .x3f, .vcf, .menu, .pdf, .fos, .wsh, .dmp, .1st, .hplg, .qic, .cr2, .jpeg, .xlgc, .yml, .xy3, .wbk, .wcf, .itdb, .xll, .ws, .zdc, .xwp, .icxs, .crw, .docm, .m2, .wma, .wpw, .layout
When the ransomware encrypts a file, it will append the .bufas extension to every encrypted file. This means that a document file named ‘example.doc’, when encrypted, becomes ‘example.doc.bufas’.
Once the ransomware virus finished enciphering of all documents, photos and music, it will create a file named “_readme.txt” with ransomnote on how to decrypt all photos, documents and music. An example of the ransomnote is:
Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WNIGhROCrH Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Bufas ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .bufas |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, mosteros@firemail.cc, @datarestore (telegram) |
| Ransom amount | $980, $490 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Bufas ransomware use the removal guide |
| Decryption | To decrypt .Bufas ransomware use the steps |
In the guidance below, I have outlined few methods that you can use to remove .Bufas ransomware from your PC system and restore (decrypt) .bufas files using free software.
Quick links
- How to remove .Bufas ransomware virus
- How to decrypt .bufas files
- Use STOPDecrypter to decrypt .bufas files
- How to restore .bufas files
- How to protect your computer from .Bufas ransomware virus?
- Finish words
How to remove .Bufas ransomware virus
There are not many good free anti-malware applications with high detection ratio. The effectiveness of malicious software removal tools depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malware. We advise to use several programs, not just one. These programs which listed below will help you delete all components of the .Bufas ransomware from your disk and Windows registry.
How to automatically remove .Bufas ransomware with Zemana Anti-malware
Zemana Anti-malware is a tool that can get rid of ransomware viruses, adware, trojans, worms and other malicious software from your system easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of personal computer resources.
Zemana can be downloaded from the following link. Save it on your Desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is done, close all applications and windows on your system. Double-click the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed in the following example, click the “Yes” button.
It will open the “Setup wizard” which will help you install Zemana Anti Malware on your personal computer. Follow the prompts and don’t make any changes to default settings.
Once installation is done successfully, Zemana AntiMalware (ZAM) will automatically start and you can see its main screen as displayed below.
Now click the “Scan” button . Zemana Anti Malware (ZAM) utility will begin scanning the whole PC to find out the .Bufas ransomware and other kinds of potential threats like malicious software and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. While the Zemana is scanning, you can see how many objects it has identified either as being malware.
After the scan get completed, Zemana Anti-Malware (ZAM) will show a list of found threats. All found items will be marked. You can get rid of them all by simply click “Next” button. The Zemana will delete .Bufas ransomware virus related files, folders and registry keys and move items to the program’s quarantine. When the process is finished, you may be prompted to restart the machine.
Automatically remove Bufas ransomware with MalwareBytes Free
We suggest using the MalwareBytes Anti Malware that are fully clean your computer of ransomware virus. This free tool is an advanced malicious software removal application designed by (c) Malwarebytes lab. This program uses the world’s most popular antimalware technology. It’s able to help you get rid of ransomware, trojans, malware, adware, worms, and other security threats from your system for free.
Installing the MalwareBytes is simple. First you will need to download MalwareBytes Anti Malware on your computer from the following link.
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, close all windows on your personal computer. Further, launch the file named mb3-setup. If the “User Account Control” prompt pops up as displayed on the image below, press the “Yes” button.
It will show the “Setup wizard” that will help you install MalwareBytes on the PC. Follow the prompts and don’t make any changes to default settings.
Once installation is finished successfully, press Finish button. Then MalwareBytes will automatically start and you may see its main window as on the image below.
Next, click the “Scan Now” button . MalwareBytes Free application will scan through the whole computer for the Bufas ransomware and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your system. During the scan MalwareBytes Free will search for threats exist on your machine.
After the system scan is done, MalwareBytes AntiMalware (MBAM) will open a screen which contains a list of malicious software that has been found. When you’re ready, click “Quarantine Selected” button.
The MalwareBytes Anti Malware (MBAM) will delete Bufas ransomware virus and other malicious software and add items to the Quarantine. When that process is finished, you may be prompted to restart your PC. We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes Free to delete hijacker infections, adware and other malicious software.
If the problem with .Bufas ransomware is still remained
If MalwareBytes antimalware or Zemana anti-malware cannot remove this ransomware, then we suggests to run the KVRT. KVRT is a free removal tool for ransomware viruses, adware, trojans and worms.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it to your Desktop so that you can access the file easily.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you will see the KVRT screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to begin checking your computer for the .Bufas ransomware and other known infections. Depending on your PC system, the scan can take anywhere from a few minutes to close to an hour. While the tool is checking, you can see number of objects and files has already scanned.
Once KVRT completes the scan, you’ll be displayed the list of all detected items on your PC like below.
All found items will be marked. You can get rid of them all by simply click on Continue to start a cleaning procedure.
How to decrypt .bufas files
The .Bufas ransomware encourages victim to contact it’s developers in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $490-980 in Bitcoins).
If your photos, documents and music have been locked by the .Bufas ransomware, We suggests: do not to pay the ransom. If this malware make money for its authors, then your payment will only increase attacks against you. Of course, decryption without the private key is not feasible, but that does not mean that the .Bufas ransomware virus must seriously disrupt your live.
Files encrypted by “.bufas ransomware”
With some variants of Bufas ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .bufas files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.bufas).
Please check the twitter post for more info.
How to restore .bufas files
In some cases, you can restore files encrypted by .Bufas ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Recover .bufas files with ShadowExplorer
A free utility named ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can recover .bufas personal files encrypted by the .Bufas ransomware virus from Shadow Copies for free.
Visit the page linked below to download the latest version of ShadowExplorer for MS Windows. Save it directly to your MS Windows Desktop.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, extract the downloaded file to a directory on your system. This will create the necessary files as shown on the screen below.
Run the ShadowExplorerPortable program. Now select the date (2) that you want to restore from and the drive (1) you wish to recover files (folders) from as displayed in the figure below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as shown in the following example.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to recover .bufas files
Before a file is encrypted, the .Bufas ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore applications such as PhotoRec.
Download PhotoRec by clicking on the following link. Save it on your MS Windows desktop.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as shown below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted personal files as shown on the screen below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored files are stored. You will see a contents like below.
All recovered personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Bufas ransomware virus?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .Bufas ransomware virus
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from MS Windows XP to Windows 10.
Please go to the following link to download the latest version of HitmanPro.Alert for Windows. Save it to your Desktop so that you can access the file easily.
After downloading is finished, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is started, you’ll be displayed a window where you can choose a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
After completing the steps above, your PC should be clean from .Bufas ransomware virus and other malicious software. Your PC system will no longer encrypt your documents, photos and music. Unfortunately, if the step-by-step guide does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.
