A new variant of ransomware virus has been discovered by security experts. It appends the .pidon file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malware or manually installing the ransomware. This post will provide you with all the things you need to know about ransomware virus, how to delete Pidon crypto malware from your PC system and how to restore (decrypt) encrypted documents, photos and music for free.
Files encrypted by .pidon ransomware
Pidon ransomware virus is a malware that limits you from opening your photos, documents and music. It forces you to pay the ransom through certain online payment methods in order to get your documents, photos and music back. It is known to encrypt almost all file types, including files with extensions:
.3fr, .sql, .dazip, .p12, .wmv, .r3d, .bc6, .vpp_pc, .wmf, .pfx, .icxs, .sid, wallet, .wav, .db0, .1, .mp4, .zabw, .dba, .itm, .mpqge, .wp5, .ibank, .mdb, .slm, .kdb, .wpd, .xy3, .wot, .odp, .wpg, .wpa, .xls, .hplg, .2bp, .arw, .bay, .xlsb, .kf, .wp6, .xlsm, .vdf, .mov, .7z, .der, .xlsx, .xlsm, .layout, .wma, .1st, .wmd, .tax, .z, .eps, .wmo, .t12, .wbc, .wri, .big, .vcf, .p7b, .wbmp, .pdf, .xbdoc, .css, .wp, .qdf, .sav, .bik, .odc, .wma, .dbf, .xll, .mddata, .xf, .zif, .mdf, .snx, .ff, .wcf, .m2, .webdoc, .odb, .docx, .xml, .crt, .sr2, .xyp, .apk, .wotreplay, .wgz, .wm, .mcmeta, .itl, .mef, .xmmap, .tor, .wbk, .sis, .wsh, .xlgc, .qic, .hkx, .xxx, .m4a, .wpw, .map, .mrwref, .wbd, .rgss3a, .3ds, .dwg, .zi, .dcr, .pem, .desc, .wp4, .vtf, .docm, .ztmp, .js, .ptx, .sie, .hvpl, .svg, .pdd, .psd, .lvl, .mlx, .crw, .sidd, .m3u, .z3d, .asset, .xar, .rwl, .ysp, .xx, .x3f, .py, .epk, .pef, .png, .itdb, .cfr, .gho, .w3x, .hkdb, .srf, .das, .d3dbsp, .arch00, .wbz, .xdl, .x, .srw, .wpb, .y, .psk, .ai, .erf, .zip, .x3d, .dxg, .wp7, .zip, .forge, .xlk, .webp, .dng, .accdb, .bc7, .litemod, .flv, .bkp, .rar, .ppt, .rb, .pptm, .orf, .wsd, .wps, .bar, .xbplate, .iwd, .sb, .wb2, .bkf, .x3f, .wn, .upk, .ntl, .blob, .zw, .esm, .yal, .wps, .raf, .xpm, .xdb, .cer, .cdr, .zdb, .rofl, .iwi, .ybk, .odm, .sum, .ncf, .dmp, .ltx, .cr2, .t13, .xmind, .pak, .bsa, .mdbackup, .jpe, .nrw, .jpeg, .fos, .wdb, .rtf, .wire, .xwp, .rim, .doc, .lrf, .pkpass, .0, .re4, .vfs0, .sidn, .xlsx, .rw2, .avi, .odt, .zdc, .raw, .wpt, .p7c, .3dm, .xls, .gdb, .menu, .lbf, .ws, .wpd, .xld, .jpg, .csv, .indd, .wpl, .xyw, .vpk, .kdc, .yml, .wmv, .wpe, .txt, .wdp, .fsh, .wsc, .cas
Upon encryption, all encrypted personal files will then be appended with the .pidon extension (e.g., ‘photo.jpg is renamed to ‘photo.jpg.pidon’). Ransomware leaves a ransom demanding message called ‘_readme.txt’ with instructions for extortion and ransom payment, threatening destruction of files if payment is not made. The ransom demanding message directs victims to make payment online in Bitcoins.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-7AKxZTQTdy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Pidon |
| Type | Crypto virus, Crypto malware, File locker, Ransomware, Filecoder |
| Encrypted files extension | .pidon |
| Ransom note | _readme.txt |
| Contact | stoneland@firemail.cc, gorentos@bitmessage.ch, @datarestore (telegram) |
| Ransom amount | $490, $980 in Bitcoins |
| Symptoms | Encrypted photos, documents and music. Your personal files now have new extensions that end with something like .locked, .crypted or .cryptor. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note in a pop-up window with cybercriminal’s ransom demand and instructions. |
| Distribution methods | Phishing Emails that is carefully developed to trick a victim into opening an attachment or clicking on a link that contains a harmful file. Drive-by downloads from a compromised web page. Social media, like web-based instant messaging programs. Malicious websites. |
| Removal | To remove Pidon ransomware use the removal guide |
| Decryption | To decrypt Pidon ransomware use the steps |
Instructions which is shown below, will allow you to remove Pidon as well as recover (decrypt) encrypted photos, documents and music stored on your personal computer drives.
Quick links
- How to remove Pidon ransomware virus
- How to decrypt .pidon files
- Use STOPDecrypter to decrypt .pidon files
- How to restore .pidon files
- How to protect your personal computer from Pidon ransomware virus?
- Finish words
How to remove Pidon ransomware virus
There are not many good free antimalware programs with high detection ratio. The effectiveness of malicious software removal utilities depends on various factors, mostly on how often their virus/malware signatures DB are updated in order to effectively detect modern worms, trojans, ransomware and other malicious software. We advise to run several applications, not just one. These applications that listed below will allow you delete all components of the Pidon ransomware from your disk and Windows registry.
Run Zemana Anti-malware to remove .Pidon ransomware
Thinking about remove Pidon ransomware from your computer? Then pay attention to Zemana Free. This is a well-known utility, originally created just to find and delete malware, adware and PUPs. But by now it has seriously changed and can not only rid you of malware, but also protect your system from ransomware, malware and adware, as well as identify and get rid of common viruses and trojans.
Zemana Anti Malware (ZAM) can be downloaded from the following link. Save it on your Windows desktop or in any other place.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is done, close all windows on your system. Further, launch the set up file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” which will help you install Zemana Free on the system. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, Zemana Free will automatically run and you can see its main window as shown on the image below.
Next, click the “Scan” button to begin scanning your computer for the Pidon crypto virus related files, folders and registry keys. This process can take quite a while, so please be patient. While the tool is checking, you can see count of objects and files has already scanned.
Once the scan is finished, Zemana Free will display a list of all threats detected by the scan. Once you’ve selected what you wish to get rid of from your system press “Next” button.
The Zemana Anti-Malware (ZAM) will delete Pidon crypto malware and other security threats. When disinfection is finished, you can be prompted to reboot your personal computer.
Automatically remove Pidon files virus with MalwareBytes Free
If you’re having problems with the .Pidon files virus removal, then download MalwareBytes Anti Malware. It is free for home use, and identifies and deletes various undesired programs that attacks your computer or degrades system performance. MalwareBytes AntiMalware (MBAM) can get rid of adware software, potentially unwanted programs as well as malware, including ransomware and trojans.
- MalwareBytes Anti-Malware (MBAM) can be downloaded from the following link. Save it on your Desktop.
Malwarebytes Anti-malware
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- After the download is complete, please close all programs and open windows on your PC system. Double-click on the icon that’s called mb3-setup.
- This will open the “Setup wizard” of MalwareBytes onto your PC. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Free will start and open the main window.
- Further, click the “Scan Now” button to begin scanning your PC for the .Pidon files virus, other kinds of potential threats like malicious software and trojans. This process can take quite a while, so please be patient.
- Once finished, MalwareBytes Free will show a list of all threats detected by the scan.
- Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press the “Quarantine Selected” button. Once that process is done, you may be prompted to reboot the computer.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Delete Pidon crypto malware with KVRT
KVRT is a free removal utility that can scan your PC for a wide range of security threats such as the Pidon crypto virus, adware software, trojans as well as other malware. It will perform a deep scan of your personal computer including hard drives and Microsoft Windows registry. When a malicious software is found, it will help you to delete all detected threats from your personal computer by a simple click.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin scanning your machine for the Pidon ransomware virus and other malware. A scan may take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your system.
After the scan get finished, you’ll be shown the list of all detected items on your personal computer as on the image below.
All detected items will be marked. You can remove them all by simply click on Continue to begin a cleaning procedure.
How to decrypt .pidon files
The encryption mode is so strong that it is practically impossible to decrypt .pidon files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($980, $490 in Bitcoins) makers of the Pidon crypto malware for a copy of the private (encryption) key.
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new crypto virus.
Files encrypted by .pidon ransomware
With some variants of the Pidon ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .pidon files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.pidon).
Please check the twitter post for more info.
How to restore .pidon files
In some cases, you can recover files encrypted by Pidon crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted files.
Run ShadowExplorer to recover .pidon files
In order to restore .pidon photos, documents and music encrypted by the Pidon ransomware virus from Shadow Volume Copies you can use a utility named ShadowExplorer. We suggest to use this solution as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer from the link below.
438669 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the following example.
Double click ShadowExplorerPortable to launch it. You will see the a window as displayed on the screen below.
In top left corner, select a Drive where encrypted documents, photos and music are stored and a latest restore point as displayed below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as shown in the following example.
Recover .pidon files with PhotoRec
Before a file is encrypted, the Pidon ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore software such as PhotoRec.
Download PhotoRec on your MS Windows Desktop by clicking on the following link.
After downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown in the following example.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen as displayed in the following example.
Select a drive to recover as shown in the following example.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as displayed on the image below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to choose where recovered files should be written, then press Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed on the screen below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from Pidon ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your personal computer from Pidon crypto virus
All-in-all, HitmanPro.Alert is a fantastic utility to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from Windows XP to Windows 10.
Visit the following page to download the latest version of HitmanPro.Alert for Windows. Save it on your Windows desktop or in any other place.
Once downloading is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is launched, you’ll be displayed a window where you can select a level of protection, as shown on the image below.
Now click the Install button to activate the protection.
Finish words
Once you’ve complete the steps outlined above, your computer should be clean from Pidon ransomware virus and other malicious software. Your machine will no longer encrypt your personal files. Unfortunately, if the few simple steps does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help here.
