.Pezi file extension ransomware (Pezi File Recovery Guide)

What is Pezi file extension

.Pezi file extension is an extension that a new malware belonging to the STOP (Djvu) ransomware family appends to each encrypted file. Therefore, malware that changes the file extension to Pezi is called “Pezi ransomware”. This malware encrypts files on a computer, changes the name of encrypted files and creates many files with the name “_readme.txt” and the same contents, each of these files contains a ransom request. The Pezi ransomware authors demand a ransom in exchange for a key and a decryptor, which are necessary to decrypt the encrypted files. Some time ago, security researchers created a program to help decrypt files encrypted with the STOP (Djvu) ransomware, and since Pezi is one of the variants of this ransomware, you can use this program as a Pezi File Decrypt Tool.

Screenshot of files encrypted by Pezi virus (‘.pezi’ file extension)

Unfortunately, Pezi File Decrypt Tool cannot help in all cases of ransomware infection, so our team has developed several more methods that can help restore the contents of encrypted files for free.

What is Pezi ransomware

Pezi ransomware is a malicious program designed to encrypt files on a victim’s computer. As we said above, this malware belongs to the STOP (Djvu) family and is already the 228th variant of the STOP (Djvu) ransomware. Almost always, this malware penetrates the computer undetected when the user runs files downloaded from unsafe websites. The most common source of infection are cracked games, Windows and Microsoft Office activators, and other similar software.

Upon execution, Pezi copies itself to the Windows system directory, changes some OS settings and collects information about the infected computer. Then the malware tries to establish a connection with its control server. If the connection was established, the Pezi ransomware sends information about the infected computer to the server. The server processes the received information, and then sends the key, which must be used to encrypt files. Such an encryption key is called an online key and this key is unique for every ransomware infection. If the malware was unable to establish a connection with its server, then it uses a fixed key, and this key is the same for all infected computers (so-called ‘offline key’).

The type of key is a very important point, since at the moment only files encrypted with an offline key can be decrypted, and only after the key is obtained by the security researchers. Security researchers have already obtained many offline keys for different variants of the STOP (Djvu) ransomware.

What is Pezi file

A file with the extension “Pezi” is a file encrypted by the Pezi ransomware. This means that the file is locked, its contents cannot be accessed in any way. If you rename the file, delete its extension, it will not be able to unlock its contents, it will remain encrypted. This is because the malware uses an encryption algorithm with a long key, so it is impossible to find out this key or determine it using an encrypted and unencrypted file. This ransomware encrypts all files located on the computer, which means that files located on local disks and files on connected network storage will be encrypted. Each encrypted file gets a new name, which consists of its old and the “.pezi” extension appended to the right. There is a small exception, the malware does not encrypt files with the name “_readme.txt”, files located in the Windows system directories, as well as files that have the “.dll, .lnk, .bat, ini, .sys” extension. Thus, the following types of files can be encrypted:

.wmv, .wsd, .xpm, .indd, .txt, .odc, .ncf, .rofl, .zabw, .x3d, .doc, .ods, .zi, .x, .rtf, .xmind, .sum, .xll, .ibank, .itdb, .accdb, .arch00, .wb2, .dxg, .mpqge, .wpb, .big, .iwi, .p12, .dazip, .wbmp, .wgz, .bsa, .wpw, .zdc, .wmo, .wav, .jpe, .wpa, .forge, .y, .js, .sid, .rw2, .z, .dbf, .xls, .ysp, .epk, .wpd, .z3d, .bc6, .wp5, .sav, .xyp, .map, .itm, .rim, .sis, .0, .mef, .kdc, .wbk, .sr2, .wire, .sb, .jpeg, .sql, .blob, .mp4, .pem, .arw, .orf, .xbplate, .bik, .cr2, .rwl, .bkp, .pkpass, .xyw, .wpl, .wn, .dmp, .wsc, .wpe, .lvl, wallet, .wpg, .snx, .wmd, .vtf, .css, .t13, .vdf, .re4, .zip, .3ds, .mdb, .crw, .cer, .odb, .rb, .vpp_pc, .pak, .lrf, .m2, .cfr, .bar, .cas, .rar, .pptx, .zif, .db0, .ai, .wp7, .kf, .wps, .kdb, .mddata, .sidn, .srf, .avi, .psd, .xlk, .wotreplay, .2bp, .xbdoc, .m3u, .erf, .wdb, .hkdb, .xmmap, .zw, .dba, .der, .wma, .csv, .qic, .sidd, .pdd, .xld, .x3f, .layout, .wp6, .xy3, .fsh, .esm, .wpt, .png, .menu, .wps, .ff, .wbd, .litemod, .fos, .3dm, .vcf, .odp, .docm, .wp, .mdbackup, .mcmeta, .pef, .py, .eps, .apk, .ntl, .itl, .upk, .slm, .w3x, .mdf, .p7b, .pptm, .ybk, .mrwref, .odt, .das, .wmv, .pfx, .qdf, .webp, .tor, .asset, .3fr, .vpk, .syncdb, .p7c, .r3d, .lbf, .t12, .ppt, .zip, .docx, .ptx, .mov, .bc7, .raw, .xf, .wbm, .xlsm, .webdoc, .hkx, .xar, .nrw, .1st, .svg, .xlsb, .wbc, .bay, .srw, .xwp, .dcr, .xxx, .xlsx, .vfs0, .wm, .psk, .gho, .wcf, .odm, .wmf, .dng, .dwg, .zdb, .jpg, .xdl, .tax, .xlgc, .yal, .xml, .wbz, .desc, .ws, .hplg, .pst, .wma, .sie, .xls, .flv, .x3f, .wsh, .wri, .mlx, .hvpl, .1, .icxs

In directories where there are encrypted files, the Pezi ransomware drops files called “_readme.txt”. These files contain a message from the Pezi authors. The content of all files with this name is the same and does not depend on which directory the file is in.

Screenshot of the contents of ‘_readme.txt’ file (ransom demand message)

This file is a ransom demand message. Almost any ransomware leaves a similar message on the infected computer. In this message, the criminals report that the files on the computer are encrypted and demand a ransom in exchange for the key and the decryptor. The Pezi authors demand $980 for a key and a decryptor pair, but at the same time they promise to reduce the ransom by half if the ransom is paid within 72 hours. To demonstrate to the owner of an infected computer that encrypted files can be decrypted, attackers offer the victim to send one encrypted file to the address specified in the ransom request. Attackers promise to decrypt this file for free.

Threat Summary

According to the security researchers, the Pezi ransomware uses a strong encryption algorithm and therefore it is impossible to decrypt .pezi files without a key. Fortunately, there is a Pezi File Decrypt Tool that can decrypt files, but only if the files are encrypted with an offline key and the key itself has already been found. Moreover, our team has developed several methods, each of which gives a chance to restore the contents of encrypted files. But in any case, before you try to decrypt .pezi files or restore the contents of encrypted files, you need to remove the Pezi ransomware or be 100% sure that the malware is completely deleted. In order not to miss any important part of this manual, we recommend that you open it in your smartphone or bookmark this page.

How to remove Pezi ransomware

You can remove the Pezi ransomware by yourself, since it is not difficult to do. But keep in mind that this ransomware most often penetrates the computer as part of a whole set of malware, which means that to be completely sure that there is no more malware on the computer, you need to scan the computer using antivirus or antimalware software.

It is very important to check the computer, as security researchers report that along with the Pezi ransomware, another malware (spyware) is often installed on the computer that steals the user’s personal information, such as passwords, logins, contact details, etc. We recommend using free malware removal tools. If you have any difficulty removing the Pezi ransomware, then let us know in the comments, we will try to help you.

To remove Pezi ransomware, use the steps below:

1. Kill the Pezi ransomware process
2. Disable the Pezi ransomware Start-Up
3. Delete the Pezi ransomware Task
4. Scan computer for malware

Kill the Pezi ransomware process

Press CTRL, ALT, DEL keys together.

Click Task Manager. Select the “Processes” tab, look for something suspicious that is the Pezi ransomware then right-click it and select “End Task” or “End Process” option.

A process is particularly suspicious: it is taking up a lot of memory (despite the fact that you closed all of your programs, its name is not familiar to you (if you are in doubt, you can always check the program by doing a search for its name in Google, Yahoo or Bing).

Disable the Pezi ransomware Start-Up

Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.

Close Task Manager.

Delete the Pezi ransomware Task

Type “Task Scheduler” in the search bar. Click Task Scheduler app in the search results. Click “Task Scheduler Library” in the left panel. On the right panel, right-click to “Time Trigger Task” and select Delete.

Close Task Scheduler.

Scan computer for malware

Now we strongly recommend scanning your computer for malware. This will help you remove all ransomware components, as well as find and remove spyware, trojans and other malware that could be installed on your computer with it. A simple and easy way to find and remove malware is to use Zemana Anti-Malware. This program will help you get rid of malware for free. If you want to be 100% sure that the computer no longer contains ransomware, then use, in addition to Zemana Anti-Malware, several other malware removal tools, such as Malwarebytes and Kaspersky Virus Removal Tool.

1. Download Zemana AntiMalware by clicking on the link below.
   
   

   Zemana AntiMalware
   164030 downloads
   Author: Zemana Ltd
   Category: Security tools
   Update: July 16, 2019
   
2. Run the downloaded dile and follow the prompts.
3. Once the setup is complete, click ‘Scan’ button to scan for the Pezi ransomware and other malware.
4. When Zemana Anti-Malware completes the scan, you can check all threats detected on your personal computer. Make sure all threats have ‘checkmark’ and press ‘Next’ button.
5. Zemana may require a restart machine in order to complete the Pezi ransomware removal process.

How to decrypt .pezi files

All files with .pezi extension are encrypted and the only way to access their contents is to decrypt them. To decrypt .pezi files, you need to use a unique key and decryptor. As we said above, Emsisoft company was able to create a decryptor and found a way in some cases to determine the key that was used to encrypt the files. This allows ransomware victims to decrypt .pezi files for free.

Pezi File Decrypt Tool (STOP Djvu decryptor)

To decrypt .pezi files, use Pezi File Decrypt Tool

• Download Pezi File Decrypt Tool from the following link.
  STOP Djvu decryptor
• Scroll down to ‘New Djvu ransomware’ section.
• Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
• Run decrypt_STOPDjvu.exe, read the license terms and instructions.
• On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
• Click the ‘Decrypt’ button.

Pezi File Decrypt Tool is a free tool that can decrypt files that were encrypted with an offline key, as Emsisoft found a way to find this key. Unfortunately, files encrypted with an online key cannot yet be decrypted. The online key is unique to each infected computer, and at the moment there is no way to find this key. Of course, criminals have this key, but we do not think that paying a ransom is a way to decrypt .pezi files. In the case when the files are encrypted with an online key, there is a chance to restore the encrypted files using alternative methods, which are described below.

This video step-by-step guide will demonstrate How to decrypt files locked by the Pezi rasnomware.

How to find out which key was used to encrypt files

Below we show two ways to help you determine what type of key was used to encrypt the files. This is very important, since the type of key determines whether it is possible to decrypt .pezi files for free. We recommend using the second method, as it is more accurate. The following video step-by-step guide will demonstrate How to find out the type of a key:
 

The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Pezi ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.

Pezi File Decrypt Tool : “No key for New Variant offline ID”

If during decryption of .pezi files the decryptor reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .pezi files from time to time. You can also use alternative ways listed below for recovering encrypted data.

Pezi File Decrypt Tool : “No key for New Variant online ID”

If, when you try to decrypt .pezi files, the decryptor reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Pezi authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.

How to restore .pezi files

If your files were encrypted with .pezi extension, then there is a chance that you can recover the files without decryption. We recommend using PhotoRec and ShadowExplorer that are designed to find and recover lost and deleted data. Mostly such programs are paid, but these tools can restore your files for free. Each of these tools has helped many times to recover files after ransomware infection in what would seem to be the most hopeless cases. We want to remind you that before you try to recover files, you need to scan your computer for ransomware using free malware removal tools. It is very important to find the Pezi virus and completely remove it.

Restore .pezi encrypted files using Shadow Explorer

A free utility called ShadowExplorer is a simple way to use the ‘Previous Versions’ feature of Microsoft Windows 10 (8, 7 , Vista). You can restore photos, documents and music encrypted by The Pezi ransomware from Shadow Copies for free.
 

• Download the latest version of ShadowExplorer from the following link:
  
  

  ShadowExplorer
  438663 downloads
  Author: ShadowExplorer.com
  Category: Security tools
  Update: September 15, 2019
  
• Extract the saved file to a folder on your computer.
• Run ShadowExplorerPortable.
• Select the date and the drive.
• On right panel navigate to the file (folder) you wish to restore.
• Right-click to the file or folder and press the Export button.

To learn more about how to use ShadowExplorer to recover .repp files, read the guide linked below.
How to Recover encrypted files from Volume shadow copies

Recover .pezi files with PhotoRec

The last chance to restore encrypted files to their original state is using data recovery tools. We recommend a free tool called PhotoRec. It has all the necessary functions to restore the contents of encrypted files. It helped many victims recover data when it seemed like there was no more hope.

Download PhotoRec from the following link. Save it to your Desktop.

PhotoRec
220572 downloads
Author: CGSecurity
Category: Security tools
Update: March 1, 2018

When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the image below.

Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as on the image below.

Select a drive to recover such as the one below.

You will see a list of available partitions. Select a partition that holds encrypted files as displayed on the image below.

Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is done, press OK button.

Next, press Browse button to choose where recovered documents, photos and music should be written, then click Search. We recommend that you use an external drive to write recovered files!

Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the restore is done, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown in the following example.

All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.

This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.

How to protect your personal computer from Pezi ransomware

Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from MS Windows XP to Windows 10.

Click the link below to download HitmanPro.Alert. Save it to your Desktop.

HitmanPro.Alert
6826 downloads
Author: Sophos
Category: Security tools
Update: March 6, 2019

After the downloading process is finished, open the file location. You will see an icon like below.

Double click the HitmanPro Alert desktop icon. After the utility is launched, you will be shown a window where you can select a level of protection, as displayed below.

Now press the Install button to activate the protection.

Finish words

This guide was created to help all victims of Pezi ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .pezi files; how to recover files, if the Pezi File Decrypt Tool does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.

If you have questions, then write to us, leaving a comment below. If you need more help with Pezi related issues, go to here.