Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


PEC 2017 Virus – Remove It and Restore .Pec Files

This article will aid you in removing the PEC 2017 ransomware fully. Follow the ransomware removal instructions given at the bottom of the article.

The PEC 2017 ransomware targets Italian-speaking users with spam mail. An e-mail has a document attached which serves as the entry point for the ransomware. It will encrypt your files, while leaving the .pec extension to them. When a computer gets infected, the PEC 2017 virus will place a ransom note in a .html file on your Desktop written in Italian. Read on to see how you can potentially recover some of your files.

Threat Summary

Name PEC 2017
Type Ransomware, Cryptovirus
Short Description The ransomware virus will encrypt your files and leave a ransom note written in Italian with payment instructions on your Desktop.
Symptoms The ransomware will encrypt your files while appending the .pec extension to them.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by PEC 2017

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss PEC 2017.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PEC 2017 Ransomware – Spread

The PEC 2017 ransomware has been discovered by malware researchers to spread its infection mainly through spam e-mails. Inside those emails, a file that serves as a payload dropper exploits the CVE-2017-0199 vulnerability in Windows. Samples of the ransomware have been found and put for analysis on the Payload Security and VirusTotal services. You can see the detections of some security vendors for a payload file called “stylesheet.rtf” by viewing the screenshot of the VirusTotal site below:

The payload script for PEC 2017 ransomware is launched from a document file attached to a spam e-mail, and more precisely a Rich Text Format document. You could see the content of that document in the below image:

The document looks like a CV (Curriculum Vitae) of an Italian, looking for a job.

Beware as the PEC 2017 cryptovirus might be spread with the help of social media or file-sharing networks. Freeware applications that are bundled could seem helpful but contain a script for that Windows exploit as well. Don’t open files you downloaded before scanning them with a security tool. Also, you should read the ransomware prevention tips in our forum.

PEC 2017 Virus – More Information

PEC 2017 is the name given to a new string of ransomware virus, which evidently targets Italian users, and more specifically, Italian businesses. Its payload is inside a document file that is concealed as a CV of a person looking for work. If your PC is infected, your files get encrypted and all of them receive the .pec extension.

The PEC 2017 ransomware could make entries in the Windows Registry aiming to achieve a higher level of persistence. Those registry entries are typically designed in a way that will start the virus automatically with each launch of the Windows Operating System. An example of such an entry is the following:

→“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”

The ransom note will be dropped after the encryption process is finished. The note provides instructions on how you could get your files restored. The note of PEC 2017 is placed on your Desktop inside a file called “AIUTO_COME_DECIFRARE_FILE.html”. You can preview the contents from the screenshot down here:

The ransom message from that .html file reads the following:

PEC 2017
Informazioni su come decifrare i file
I tuoi file sono stati cifrati dal sistema PEC 2017 con crittografia AES 256.
PEC non è decifrabile da nessun software e da nessun antivirus.
Come recuperare i dati criptati
Unico modo per recuperare i dati danneggiati è acquistare il software di recupero PEC CLEANER.
Quando hai ottenuto il software potrai procedere al recupero ed il ripristino dei file danneggiati.
Con lo stesso software potrai decriptare tutti i file danneggiati anche quelli nei dischi esterni o di rete.
Avvertenze
Non utilizzare alcun software antivirus o di decrypt in quanto non solo non efficaci, ma potrebbero compromettere per sempre il recupero dei dati.
Con PEC Cleaner potrai recuperare tutti i tuoi dati perfettamente funzionanti e senza attese.
Come acquistare PEC CLEANER
contatta il produttore del software di decrypt per acquisto della licenza e download del programma:
[email protected] com
La tua chiave di sblocco è
DD9D5A4143317432EFE883DBE50DA394FB5B78CBDD78C71E7E1EBD83236A9911449F1D55AF23
Il software verrà reso disponibile al download entro 24 ore dal pagamento e ti consentirà il ripristino immediato dei dati.

A rough machine translation in English of that text is:

PEC 2017
Learn how to decrypt files
Your files have been encrypted by the PEC 2017 system with AES 256 encryption.
PEC is not decipherable by any software and no antivirus.
How to recover encrypted data
The only way to recover corrupted data is to purchase PEC CLEANER Recovery Software.
Once you have obtained the software, you will be able to recover and restore the corrupted files.
With the same software you can decrypt all damaged files even those on external or network disks.
Warnings
Do not use any antivirus software or decrypt as not only ineffective, but may compromise data retention forever.
With PEC Cleaner, you can retrieve all your perfectly working and unexpected data.
How to Buy PEC CLEANER
Contact the decrypt software manufacturer to purchase the license and download the program:
[email protected]
Your unlock key is
DD9D5A4143317432EFE883DBE50DA394FB5B78CBDD78C71E7E1EBD83236A9911449F1D55AF23
The software will be available for download within 24 hours of your payment and will allow you to restore your data immediately.

The ransom note is written in a way to scare people, and try to persuade them in paying a ransom. The developer of the PEC 2017 virus wants you to contact them while they are using the encrypted mail service ProtonMail.

However, you should NOT under any circumstances pay anything to the cybercriminals, nor contact them. Nobody can give you a guarantee that you will get your files decrypted if you pay up, plus you might further motivate them to do more criminal acts, like developing more ransomware if they see they can profit from it.

PEC 2017 Virus – Encryption Process

PEC 2017 ransomware will probably search and encrypt files which are from the most commonly used file types in Microsoft Windows. Those file types carry the following extensions:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

The algorithm which is used for the encryption of your files is AES 256-bit or at least that is stated in the ransom message.

The PEC 2017 cryptovirus is likely to be set to erase the Shadow Volume Copies from the Windows Operating System by initiating the following command:

→vssadmin.exe delete shadows /all /Quiet

The execution of that command can make the encryption process more viable, since it eliminates one of the prominent ways for the recovering of your files.

Remove PEC 2017 Virus and Restore .Pec Files

If your computer got infected with the PEC 2017 ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete PEC 2017 from your computer

Note! Substantial notification about the PEC 2017 threat: Manual removal of PEC 2017 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove PEC 2017 files and objects
2. Find malicious files created by PEC 2017 on your PC

Automatically remove PEC 2017 by downloading an advanced anti-malware program

1. Remove PEC 2017 with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by PEC 2017
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.