.Piny file extension. Remove Piny virus. Restore, Decrypt .piny files.

Piny file extension

.Piny file extension is a file extension that is associated with a new malware from STOP (djvu) ransomware family. Variant ‘Piny’ shares the characteristics of previous versions of this ransomware. It encrypts files and then renames them. Encrypted files will have a new filename consisting of their old filename and the .piny extension added to the right. The authors of the virus demand a ransom in exchange for a pair – a key and a decryptor, which are necessary for decrypting the files. Fortunately, a group of security researchers created a free decryptor that can help virus victims decrypt files and unlock their contents for free. Scroll down to find out more about the decryptor, where to download it and how to use it to decrypt .piny files.

Piny virus

Piny virus is a malware program created by criminals to encrypt files on a victim’s computer. It uses a long key and a strong encryption system, which virtually eliminates the possibility of decrypting files without a decryption key and decryptor. Encrypted files are useless, their contents cannot be read or used in any way.

Piny was created to infect computers running Windows OS. Most often, victims infect their computer by downloading and installing this malware that is disguised as free software, cracks, key generators, torrents files and so on. Upon execution, the downloaded file installs a ransomware instance on the victim’s computer.

Once installed, Piny virus collects information about the victim’s computer and then tries to establish a connection with its command-and-control (C&C) server. If the connection is successful, then the virus uses the so-called ‘online key’ to encrypt files. This key is unique to each computer. If a connection to its C&C has not been established, Piny uses the so-called ‘offline key’. This key is the same for all victims and for all infected computers.

All files on the victim’s computer are the target of Piny virus. Even data that is on USB drive or cloud storage can be encrypted. The virus skips and does not encrypt files that are in the Windows OS system directories, as well as files with the extension .ini, .bat, .sys, .dll, .lnk and the filename ‘_readme.txt’. All other user files will be encrypted, regardless of what is in the files. For example, files of the following types can be encrypted:

.sr2, .wot, .zabw, .xml, .eps, .wpt, .vcf, .dazip, .bc6, .wmv, .xlsx, .cdr, .wbd, .sidd, .r3d, .upk, .ncf, .der, .bar, .sis, .iwd, .js, .wpa, .rar, .xlsx, .wp, .asset, .dwg, .wb2, .wsh, .zdb, .ybk, .xls, .snx, .wsd, .menu, .w3x, .erf, .wpe, .indd, .arw, .wpd, .xbdoc, .wpd, .mdf, .x3f, .dmp, .sidn, .wma, .css, .dng, .wbm, .wmv, .d3dbsp, .slm, .wgz, .sum, .fpk, .lvl, .qdf, .flv, .wpb, .itl, .lrf, .apk, .wbc, .wbk, .rb, .hkx, .syncdb, .wotreplay, .xmind, .y, .mdb, .tax, .xx, .hplg, .layout, .csv, .raw, .mrwref, .mov, .vpk, .tor, .sid, .bik, .forge, .raf, .big, .xar, .mp4, .kdc, .zif, .crw, .ppt, .x3d, .xlk, .ntl, .wp4, .webp, .kdb, .wpg, .wbz, .jpe, .arch00, .zi, .xyw, .xpm, .rim, .sie, .nrw, .mpqge, .ai, .db0, .psk, .vfs0, .zw, .map, .yal, .xlsm, .3fr, .yml, .hkdb, .wps, .wp7, .dbf, .jpg, .xwp, .xlgc, .xf, .das, .re4, .pfx, .psd, .xls, .zip, .pkpass, .pef, .pdf, .xll, .wav, .bsa, .2bp, .dba, .esm, .p7c, .1st, .zip, .z, .3dm, .wsc, .vtf, .wcf, .blob, .docm, .wmd, .odt, .wdp, .1, .xy3, .accdb, .z3d, .3ds, .bkp, .ztmp, .gdb, .0, .7z, .rgss3a, .xdl, .lbf, .sb, .wpl, .ods, .wp5, .fos, .mdbackup, .wpw, .odc, .srf, .zdc, .m4a, .qic, .xbplate, .p12, .epk, .cas, .xlsb, .wbmp, .kf, .wps, .p7b, .orf, .doc, .vdf, .wdb, .itdb, .xld, .srw, .svg, .bay, .xdb, .wm, .xlsm, .m2, .wri, .ltx, .odb, .png, .crt, .t12, .x, wallet, .ibank, .fsh, .iwi, .xmmap, .py

Piny virus quickly encrypts files on the infected computer, and does this file by file in each directory that it finds on the drives connected to the computer. Encrypted files are easily visible, they have a new .piny extension and a blank icon. If the user tries to open such files, the Windows OS will report that it does not know how to do this and cannot find a program that can read files of this type. In addition to encrypted files, in each directory the victim will find another file. This file is named ‘_readme.txt’ and it contains a message from the authors of Piny virus.

The file ‘_readme.txt’ is a ransom note. In it, criminals report that the victim’s files are encrypted and the only way to decrypt them is to use a unique key and decryptor. Attackers demand a ransom in exchange for this key and decryptor. The ransom amount is $490 if the victim pays for it within 72 hours. Otherwise, the ransom is doubled, and becomes $980. Criminals do not leave any information on how to pay the ransom. They suggest that the victim write an email letter to them at one of the addresses listed in the ransom note. Piny authors promise to decrypt one file for free, but will do so if the file is small and does not contain any important information. Even if one file is decrypted, criminals cannot be trusted, there is no guarantee that after receiving the ransom they will provide the key and decryptor necessary for decrypting the files.

Threat Summary

Name	Piny
Type	Ransomware, File locker, Filecoder, Crypto virus, Crypto malware
Encrypted files extension	.piny
Ransom note	_readme.txt
Contact	helpmanager@firemail.cc, helpmanager@iran.ir
Ransom amount	$980,$490 in Bitcoins
Detection Names	Win32:MalwareX-gen [Trj], Trojan.Autoruns.GenericKD, Win32/Kryptik.GZMR, W32/Stop.GZMR, Ransom.Win32.Shade, Trojan.Stop.cd, Trojan-Ransom.Win32.Stop, RDN/Ransom, Ransom_Stop, TrojanRansom.Stop, Trojan.Win32.Z.Shade, Win.Ransomware.Stop
Symptoms	Your documents, photos and music fail to open. Your photos, documents and music have a wrong name, suffix or extension, or don’t look right when you open them. Your file directories contain a ‘ransom note’ file that is usually a _readme.txt file.
Distribution ways	Phishing emails that look like they come from a reliable source. Drive-by downloads (ransomware can infect the computer simply by visiting a web page that is running harmful code). Social media, such as web-based instant messaging programs. Malvertising campaigns.
Removal	Piny virus removal guide
Decryption	Free Piny Decryptor

 

In a ransom note, criminals report that encrypted files cannot be decrypted without a key and a decryptor. Unfortunately, this is true, the encryption algorithm that uses Piny virus locks the contents of encrypted files. Therefore, in any case, in order to decrypt the files, the victim needs a key and a decryptor.

Fortunately for each of the victims of Piny virus, there is a universal decryptor that can decrypt files encrypted with different versions of STOP (Djvu) ransomware. And since Piny is one of the variants of STOP (Djvu), this decryptor can decrypt .piny files. The only limitation of this decryptor is that it can decrypt files that were encrypted with an offline key. But even if the decryptor cannot decrypt the files, then there are several alternative ways to recover the data in the encrypted files.

How to remove Piny and Decrypt .piny files

If you find files with .piny extension on your computer, then the computer is the victim of ransomware attack. To unlock the contents of encrypted files, you need to take several steps. First you need to make sure that the computer does not contain malicious software, and only after that proceed to decrypt the files. In case when the decryption of the files failed, you need to use step 3, try to restore the files to their original state using several alternative methods. These methods do not require a key and decryptor. In order not to miss any part of the instructions, we recommend that you print it or open it on your smartphone.

1. Remove Piny ransomware virus
2. Decrypt .piny files
3. Alternative methods for recovering encrypted files

Remove Piny ransomware virus

The first thing we advise every victim of Piny virus is to check the computer for ransomware and other malware. This step is better not to skip. The reason is simple, if you do not remove Piny virus, then after the files are decrypted, it will encrypt them again. Moreover, do not forget that active malware is a breach in protecting your computer, criminals can access the entire computer, control your computer, or use your computer to hack into other computers.

We recommend using free malware removal tools to detect and remove Piny virus. Moreover, it is advisable to check the computer not with one tool but with two or more. So you can be sure that the ransomware is completely removed.

Remove Piny with Zemana

Zemana AntiMalware (ZAM) is a utility with which you can start to find and remove Piny virus. Of course, this program can remove not only ransomware, but also other active malicious software, including Trojans, spyware, adware, PUPs, worms. You can remove all found malware for free by simply pressing one key. More importantly, if you have problems with Piny removal, this program provides free online support.
 

• Visit the page linked below to download the latest version of Zemana AntiMalware.
  
  

  Zemana AntiMalware
  164033 downloads
  Author: Zemana Ltd
  Category: Security tools
  Update: July 16, 2019
  
• Double click on the downloaded file Zemana.AntiMalware.Setup.
• Follow the prompts. Once the installation is finished, Zemana will run automatically.
• Click ‘Scan’ to perform a system scan for Piny virus.
• After Zemana has finished scanning your PC, click ‘Next’ button.
• Restart your PC to complete Piny removal process.

Remove Piny with MalwareBytes AntiMalware (MBAM)

Another option to remove Piny ransomware is to use a program called MalwareBytes. We recommend this program to readers of our site for more than 10 years. This program will help you to fully scan the computer, find all parts of Piny virus and remove them for free.
 

• Download MalwareBytes from the link below.
  
  

  Malwarebytes Anti-malware
  326387 downloads
  Author: Malwarebytes
  Category: Security tools
  Update: April 15, 2020
  
• Close all programs and run the downloaded file.
• Follow the prompts.
• Once install is complete, click the “Scan Now” button.
• After the checking is finished, MalwareBytes will open a list of the found malware.
• Press “Quarantine Selected” button. Malwarebytes will now remove Piny related folders, files and registry keys.

To learn more about how to use MalwareBytes to remove Piny ransomware, we recommend that you read the following guide: How to use MalwareBytes.

Remove Piny from personal computer with KVRT

Kaspersky virus removal tool (KVRT) is a free malware removal tool. It can detect and remove ransomware, trojans, spyware, adware, worms, and other security threats. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the system.
 

• Download Kaspersky virus removal tool from the link below.
  
  

  Kaspersky virus removal tool
  129057 downloads
  Author: Kaspersky® lab
  Category: Security tools
  Update: March 5, 2018
  
• Double-click on the downloaded file, follow the prompts.
• Once initialization process is finished, click Start scan button to start scanning the system for Piny virus.
• When the scan is complete, click the Continue button to remove the found malware.

If you want to know more about Kaspersky virus removal tool, how to use it to remove Piny virus, then read the following article: How to use Kaspersky virus removal tool.

Decrypt .piny files

Files with extension .piny are encrypted files. These files can only be decrypted using a key-decryptor pair. It is not possible to decrypt files in another way. The authors of Piny virus demand a ransom for the key and the decryptor. Of course, no one can guarantee that after paying the ransom, the victim will be able to decrypt the encrypted files. Security experts do not recommend paying a ransom, as this pushes criminals to create a new ransomware.

Fortunately for all victims of Piny virus, there is a free decryptor. It allows each victim to decrypt files encrypted with STOP ransomware. And since Piny is one of the variants of this ransomware, this decryptor can be used to decrypt .piny files.

To decrypt .piny files, use free STOP (Piny) decryptor

• Visit the page linked below to download STOP (Djvu) decryptor.
  STOP Djvu decryptor
• Scroll down to ‘New Djvu ransomware’ section.
• Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
• Run decrypt_STOPDjvu.exe, read the license terms and instructions.
• On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
• Click the ‘Decrypt’ button.

STOP (Piny) decryptor is a fantastic program that allows everyone to decrypt files for free. Unfortunately, at the moment, this decryptor can only decrypt files encrypted with ‘offline key’. If the files on the victim’s computer are encrypted with an online key, then they will be skipped, these files cannot yet be decrypted. Online keys are unique to each computer and cannot be determined by security researchers. Only the criminals own them.

How to find out which key was used to encrypt files

Since Piny decryptor only decrypts files encrypted with the offline key, each virus victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.

Find out the type of key using ‘_readme.txt’ file

• Open the ransom demand message (‘_readme.txt’ file).
• Scroll down to the end of the file.
• There you will see a line with the text ‘Your personal ID’.
• Below is a line of characters that starts with ‘0195’ – this is your personal id.

Find out the type of key using ‘PersonalID.txt’ file

• Open disk C.
• Open directory ‘SystemID’.
• Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.

The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Piny virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.

If STOP (Piny) decryptor displays message “Error: Unable to decrypt file with ID”, then two cases are possible why this happens:

1. piny files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
2. piny files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;

Alternative methods for recovering encrypted files

Fortunately, in addition to using STOP (Piny) decryptor, there are several alternative ways to recover the contents of encrypted files. However, if you have not tried the decryptor, then try it first by following step 2 of this instruction, and then return here.

Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for malware, do it right now, return to step 1.

Use shadow copies to recover .piny files

In some cases, you have a chance to restore the files that were encrypted by Piny virus. This is possible due to the use of a free utility called ShadowExplorer. It is a program that developed to obtain ‘shadow copies’ of files.

Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer by clicking on the link below.

Once the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.

Run the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Piny crypto malware as shown below.

Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button such as the one below.

Use PhotoRec to restore .piny files

Another alternative way to recover the contents of encrypted files is to use data recovery software. We suggest you pay attention to the program called PhotoRec. Photo Rec has all the necessary features for searching and restoring files and it is free.

Download PhotoRec by clicking on the link below. Save it directly to your MS Windows Desktop.

When downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen such as the one below.

Choose a drive to recover as displayed on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as displayed in the figure below.

Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, click OK button.

Next, press Browse button to select where recovered photos, documents and music should be written, then press Search.

Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the restore is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as shown in the figure below.

All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.

How to protect your personal computer from Piny crypto virus

Most antivirus apps already have built-in protection system against the crypto malware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.

HitmanPro.Alert can be downloaded from the following link. Save it on your MS Windows desktop.

Once the downloading process is finished, open the file location. You will see an icon like below.

Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be shown a window where you can choose a level of protection, as shown below.

Now click the Install button to activate the protection.

To sum up

This guide was created to help all victims of Piny ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .piny files; how to recover files, if STOP (Piny) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.

If you have questions, then write to us, leaving a comment below. If you need more help with Piny related issues, go to here.