PEC 2017 Virus - Remove It and Restore .Pec Files

PEC 2017 Virus – Remove It and Restore .Pec Files

This article will aid you in removing the PEC 2017 ransomware fully. Follow the ransomware removal instructions given at the bottom of the article.

The PEC 2017 ransomware targets Italian-speaking users with spam mail. An e-mail has a document attached which serves as the entry point for the ransomware. It will encrypt your files, while leaving the .pec extension to them. When a computer gets infected, the PEC 2017 virus will place a ransom note in a .html file on your Desktop written in Italian. Read on to see how you can potentially recover some of your files.

Threat Summary

NamePEC 2017
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware virus will encrypt your files and leave a ransom note written in Italian with payment instructions on your Desktop.
SymptomsThe ransomware will encrypt your files while appending the .pec extension to them.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by PEC 2017


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss PEC 2017.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PEC 2017 Ransomware – Spread

The PEC 2017 ransomware has been discovered by malware researchers to spread its infection mainly through spam e-mails. Inside those emails, a file that serves as a payload dropper exploits the CVE-2017-0199 vulnerability in Windows. Samples of the ransomware have been found and put for analysis on the Payload Security and VirusTotal services. You can see the detections of some security vendors for a payload file called “stylesheet.rtf” by viewing the screenshot of the VirusTotal site below:

The payload script for PEC 2017 ransomware is launched from a document file attached to a spam e-mail, and more precisely a Rich Text Format document. You could see the content of that document in the below image:

The document looks like a CV (Curriculum Vitae) of an Italian, looking for a job.

Beware as the PEC 2017 cryptovirus might be spread with the help of social media or file-sharing networks. Freeware applications that are bundled could seem helpful but contain a script for that Windows exploit as well. Don’t open files you downloaded before scanning them with a security tool. Also, you should read the ransomware prevention tips in our forum.

PEC 2017 Virus – More Information

PEC 2017 is the name given to a new string of ransomware virus, which evidently targets Italian users, and more specifically, Italian businesses. Its payload is inside a document file that is concealed as a CV of a person looking for work. If your PC is infected, your files get encrypted and all of them receive the .pec extension.

The PEC 2017 ransomware could make entries in the Windows Registry aiming to achieve a higher level of persistence. Those registry entries are typically designed in a way that will start the virus automatically with each launch of the Windows Operating System. An example of such an entry is the following:


The ransom note will be dropped after the encryption process is finished. The note provides instructions on how you could get your files restored. The note of PEC 2017 is placed on your Desktop inside a file called “AIUTO_COME_DECIFRARE_FILE.html”. You can preview the contents from the screenshot down here:

The ransom message from that .html file reads the following:

PEC 2017
Informazioni su come decifrare i file
I tuoi file sono stati cifrati dal sistema PEC 2017 con crittografia AES 256.
PEC non è decifrabile da nessun software e da nessun antivirus.
Come recuperare i dati criptati
Unico modo per recuperare i dati danneggiati è acquistare il software di recupero PEC CLEANER.
Quando hai ottenuto il software potrai procedere al recupero ed il ripristino dei file danneggiati.
Con lo stesso software potrai decriptare tutti i file danneggiati anche quelli nei dischi esterni o di rete.
Non utilizzare alcun software antivirus o di decrypt in quanto non solo non efficaci, ma potrebbero compromettere per sempre il recupero dei dati.
Con PEC Cleaner potrai recuperare tutti i tuoi dati perfettamente funzionanti e senza attese.
Come acquistare PEC CLEANER
contatta il produttore del software di decrypt per acquisto della licenza e download del programma:
pec.clean@protonmail com
La tua chiave di sblocco è
Il software verrà reso disponibile al download entro 24 ore dal pagamento e ti consentirà il ripristino immediato dei dati.

A rough machine translation in English of that text is:

PEC 2017
Learn how to decrypt files
Your files have been encrypted by the PEC 2017 system with AES 256 encryption.
PEC is not decipherable by any software and no antivirus.
How to recover encrypted data
The only way to recover corrupted data is to purchase PEC CLEANER Recovery Software.
Once you have obtained the software, you will be able to recover and restore the corrupted files.
With the same software you can decrypt all damaged files even those on external or network disks.
Do not use any antivirus software or decrypt as not only ineffective, but may compromise data retention forever.
With PEC Cleaner, you can retrieve all your perfectly working and unexpected data.
Contact the decrypt software manufacturer to purchase the license and download the program:
Your unlock key is
The software will be available for download within 24 hours of your payment and will allow you to restore your data immediately.

The ransom note is written in a way to scare people, and try to persuade them in paying a ransom. The developer of the PEC 2017 virus wants you to contact them while they are using the encrypted mail service ProtonMail.

However, you should NOT under any circumstances pay anything to the cybercriminals, nor contact them. Nobody can give you a guarantee that you will get your files decrypted if you pay up, plus you might further motivate them to do more criminal acts, like developing more ransomware if they see they can profit from it.

PEC 2017 Virus – Encryption Process

PEC 2017 ransomware will probably search and encrypt files which are from the most commonly used file types in Microsoft Windows. Those file types carry the following extensions:

→.7z, .bmp, .doc, .docm, .docx, .html, .jpeg, .jpg, .mp3, .mp4, .pdf, .php, .ppt, .pptx, .rar, .rtf, .sql, .tiff, .txt, .xls, .xlsx, .zip

The algorithm which is used for the encryption of your files is AES 256-bit or at least that is stated in the ransom message.

The PEC 2017 cryptovirus is likely to be set to erase the Shadow Volume Copies from the Windows Operating System by initiating the following command:

→vssadmin.exe delete shadows /all /Quiet

The execution of that command can make the encryption process more viable, since it eliminates one of the prominent ways for the recovering of your files.

Remove PEC 2017 Virus and Restore .Pec Files

If your computer got infected with the PEC 2017 ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share