Cyber Security Center

Remove PewPew ransomware


PewPew ransomware, also known as Abkir file-encrypting malware, is a dangerous malware infection that encrypts files. Discovered by cybersecurity researcher GrujaRS, the malware assigns an ID to the victim and adds .[pewpew@TuTa.io].abkir to all encrypted files. It drops an info-decrypt.hta ransom note.

 

Screenshot (34)

PewPew ransomware can also be referred to as Abkir ransomware due to the extension it adds to files it encrypts. It’s a dangerous piece of malware because encrypted files are not always recoverable without paying huge sums of money. Once files are encrypted, users will be unable to open them, unless they first decrypt them with a special decryptor. The cyber crooks behind this ransomware will offer to sell the decryptor, though the price is not mentioned in the ransom note, just that “the price depends on how fast you write to us”.

Unfortunately, without that decryptor, it’s currently not possible to decrypt files. Nonetheless, it’s not recommended for users to pay the ransom. Cyber crooks are not to be trusted, and it’s not unlikely that victims will not receive anything after paying. This has happened many times in the past with various ransomware gangs. Victims not getting a decryptor, or getting a faulty one is particularly possible when dealing with new ransomware, such as PewPew.

The only way users can recover files is if they backed up files prior to decryption. Ransomware is one of the reasons why backing up files regularly is so important. Victims who did back up files can start file recovery as soon as they delete PewPew ransomware from their computers.

What does PewPew ransomware do?

PewPew ransomware is a pretty typical ransomware. It encrypts files like videos, documents, files, etc., and adds the .abkir file extension. More specifically, it adds an id.[pewpew@TuTa.io].abkir extension. Users have unique IDs so the beginning of the extension will be different for users. For example, image.jpg would become image.jpg.idXXXXXX.[pewpew@TuTa.io].abkir. Once the encryption process is complete, the ransomware drops two ransom notes, info-decrypt.txt and info-decrypt.hta. The pop-up ransom note will display the victim’s ID necessary when contacting these cyber crooks, and will explain that paying the ransom in Bitcoins is needed in order to get the decryptor. Victims are asked to send an email to pewpew@TuTa.io, or to pewpew@protonmail.com if they don’t get a response in 24 hours. Though we do not recommend paying the ransom, or even contacting them. There really are no guarantees that victims will get a working decryptor.

Here is one of the PewPew ransomware ransom notes:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail : pewpew@TuTa.io
Write this ID in the title of your message : –
In case of no answer in 12 hours write us to this e-mail : pewpew@Protonmail.Com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Currently, the only way to recover files is from backup. But it should be mentioned that malware researchers/anti-virus vendors do release free decryptors to help victims, so one for PewPew ransomware may become available in the future. NoMoreRansom and Emsisoft are good sources for safe ransomware decryptors.

Ransomware distribution

PewPew ransomware uses the standard ransomware distribution methods, such as spam emails, torrents, software cracks, etc.

Spam email is usually how users end up infecting their computers with ransomware. Users whose email addresses have been leaked and sold on hacker forums frequently become victims of spam email campaigns that spread all kinds of malware. Those emails are usually quite obvious, however. They contain an abundance of grammar and spelling mistakes, are sent from completely random-looking email addresses, and just seem off somehow. Users should be able to recognize spam as long as they known what to look for. As a precaution, it’s a good idea to scan all unsolicited email attachments with anti-virus software or VirusTotal.

Victims could have also picked up PewPew ransomware by downloading torrents and software cracks. Torrent sites are notoriously unregulated, which allows cyber criminals to easily disguise malware as movies, games, TV shows, etc.

PewPew ransomware removal

It is strongly suggested to use anti-malware software to remove PewPew ransomware. If users attempt manual PewPew ransomware removal, they may end up doing even more damage. Once the ransomware is gone, users can access their backup to recover files.

PewPew ransomware is detected as:

  • UDS:DangerousObject.Multi.Generic by Kaspersky
  • Artemis!202BF9BE9A4E by McAfee
  • Ransom:Win32/Higuniel.A by Microsoft
  • FileRepMalware by AVG
  • A Variant Of Win32/Packed.Enigma.DS by ESET