Tfude ransomware removal instructions
What is Tfude?
Discovered by Michael Gillespie, Tfude is classified as a ransomware-type computer infection. This malicious program is a new variant of Djvu ransomware. Like most viruses of this type, it affects systems by encrypting stored data (blocking access to it) and keeping it in this state until victims purchase a decryption tool (in effect, pay a ransom). The virus renames all encrypted files by adding the ".tfude" extension (updated versions use ".tfudet"). For example, "1.jpg" becomes "1.jpg.tfude". It also generates a ransom message within a text file called "_openme.txt" and disables Task Manager. During encryption, Tfude displays a fake Windows Update pop-up window.
In the "_openme.txt" ransom-demand message, cyber criminals state that all files (photos, documents, databases, and so on) are encrypted with the strongest encryption algorithm. The only way to retrieve files is to purchase a decryption tool, a unique decryption key. As 'proof' that Tfude ransomware developers have the tool required, they offer free decryption of one file (that does not contain any valuable information). Furthermore, they even offer a 50% discount for victims who contact them within 72 hours following encryption. Therefore, the size of the ransom depends on how quickly cyber criminals are contacted. To receive further details, victims are encouraged to contact them via the email@example.com or firstname.lastname@example.org email addresses. The email must contain the assigned personal ID. Tfude's victims are also warned not to use any other (third party) decryption tools, since this might result in permanent data loss. Typically, cyber criminals use cryptography algorithms (symmetric or asymmetric) that generate unique decryption keys. They store these keys on remote servers and only they have access to them. In summary, decryption without the involvement of cyber criminals is impossible, since they have the tools required for successful decryption. There are currently no tools capable of decrypting Tfude's encryption free of charge. Therefore, use an existing data backup if you have one, and restore files from there.
Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:
Pdff, XARCryptor, and Ahihi are ransomware-type infections that are very similar to Tfude. There are many others. Cyber criminals often use these programs to encrypt data and make ransom demands. Typically, the main differences are encryption algorithm used and cost of decryption tool/key. Unfortunately, ransomware developers use cryptographies that cannot be 'cracked'. People with computers infected by these viruses are encouraged to contact cyber criminals. In some cases, malicious programs of this type are not fully developed, have some bugs/flaws, etc. and, therefore, files can sometimes be retrieved. In any case, to prevent data loss, we recommend that you maintain regular backups and store them on remote servers or unplugged storage devices, otherwise backups will be encrypted with other data.
How did ransomware infect my computer?
There are several ways that cyber criminals use to infect computers with ransomware-type viruses including spam email campaigns, fake software updaters, dubious software download sources, and trojans. Email campaigns proliferate ransomware (or other infections) through malicious attachments. Once opened, these attachments download and install malware. They are usually Microsoft Office documents, archive or executable files, PDF documents, and so on. Fake software updaters tools usually infect systems by exploiting flaws/bugs of outdated software or download (and install) viruses rather than the promised updates or fixes. Dubious software download channels such as P2P networks (torrents, eMule, etc.), freeware download websites, free file hosting websites, and other similar sources present malicious executables as legitimate files. Using these tools, cyber criminals trick users into downloading and installing viruses rather than the expected software. Trojans (malicious programs) proliferate other viruses, thus causing chain-infections. If a trojan installed, it is possible that it also caused a ransomware-type virus.
|Threat Type||Ransomware, Crypto Virus, Files locker|
|Symptoms||Can't open files stored on your computer, previously functional files now have a different extension, for example my.docx.locked. A ransom demanding message is displayed on your desktop. Cyber criminals are asking to pay a ransom (usually in bitcoins) to unlock your files.|
|Distribution methods||Infected email attachments (macros), torrent websites, malicious ads.|
|Damage||All files are encrypted and cannot be opened without paying a ransom. Additional password stealing trojans and malware infections can be installed together with a ransomware infection.|
To eliminate Tfude virus our malware researchers recommend scanning your computer with Spyhunter.
How to protect yourself from ransomware infections?
To avoid computer infections, be very cautious when browsing the web, installing/downloading and updating software. Avoid opening attachments presented in irrelevant emails. If the attachment is presented in an email sent from an unknown, suspicious email address, ignore it and do not open it. The same applies to web links. Keep software updated, however, use implemented functions or tools provided by official developers only. Do not download software from untrustworthy and unofficial websites, or using third party downloaders. Third party download/installation set-ups often contain rogue software that might cause infections (or other problems). Finally, have reputable anti-spyware/anti-virus software installed and keep it enabled. If your computer is already infected with Tfude, we recommend running a scan with Spyhunter for Windows to automatically eliminate this ransomware.
Text presented in Tfude ransomware text file ("_openme.txt"):
------------------------ ALL YOUR FILES ARE ENCRYPTED ------------------------
Don't worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
Screenshot of a fake Windows Update pop-up window that appears during the encryption process:
Screenshot of files encrypted by Tfude (".tfude" extension):
Update January 17, 2019 - Michael Gillespie has updated STOPDecrypter, which is now capable of restoring data with the following extensions: ".djvu", ".djvuq", ".djvur", ".djvut", ".djvuu", ".pdff", ".tfude", ".tfudeq", ".tro", ".udjvu", and ".tfudet". You can download the decrypter by clicking this link.
Screenshot of the STOPDecrypter:
Michael states that users should take the following notes:
This decrypter currently only works for personal ID 6se9RaIxXF9m70zWmx7nL3bVRp691w4SNY8UCir0 (the offline key used if the malware failed to get a key from its server), or if you have the key.
If you were provided a key by kNN or myself, you may enter it via the Settings -> Set Djvu Key option; note that entering anything incorrect to this will destroy data, so don't try to be "clever". For "Personal ID", it will accept either the 40 character string at the end of files (not the one in braces, the string just before that), or the 43 character string in the ransom note. The bruteforcer will also explicitly reject this variant, as there is no way of bruteforcing the key at the present time; so don't even waste your time trying to fool it (the feature is for the .puma* variants, and isn't really a "bruteforce" anyways).
The decrypter will only attempt to decrypt a file with a known ID (either the hardcoded one or one you provide with a key); any others will be reported and logged, with instructions to archive it in hopes of future decryption.
If the decrypter detects IDs it could not decrypt, it will display them, along with your MAC addresses for easy archiving (assuming it is ran from the infected PC). It is also logged for you.
Tfude ransomware removal:
Instant automatic removal of Tfude virus:
Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Tfude virus. Download it by clicking the button below:
- What is Tfude?
- STEP 1. Tfude virus removal using safe mode with networking.
- STEP 2. Tfude ransomware removal using System Restore.
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in "Safe Mode with Networking":
Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in "Safe Mode with Networking":
Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.
Video showing how to start Windows 10 in "Safe Mode with Networking":
Log in to the account infected with the Tfude virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":
1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window, click "Next".
5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Tfude ransomware virus infiltrating your PC).
6. In the opened window, click "Yes".
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Tfude ransomware files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Tfude are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as Tfude ransomware.
Note that Windows 10 Fall Creators Update includes a "Controlled Folder Access" feature that blocks ransomware attempts to encrypt your files. By default, this feature automatically protects files stored in the Documents, Pictures, Videos, Music, Favorites as well as Desktop folders.
Windows 10 users should install this update to protect their data from ransomware attacks. Here is more information on how to get this update and add an additional protection layer from ransomware infections.
HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:
Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:
- The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.
Other tools known to remove Tfude ransomware: