.puma Files Virus – How to Remove It (+ Decrypt Files)

.puma Files Virus – How to Remove It (+ Decrypt Files)

This blog post has been made with the main idea to help explain what is the .puma files ransomware virus and how you can remove this variant of STOP ransomware and try to recover your encrypted files.

A new virus version of STOP ransomware has been detected in the wild. The ransomware uses the .puma file extension which It ads each time when files are encrypted. The virus then drops a ransom note, aiming to notify users that their files are encrypted and they should pay a hefty ransom in order to get them back. If your computer has been infected by the .puma files virus, we recommend that you read this article thoroughly.

Threat Summary

Name.puma Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and then extort you into paying ransom.
SymptomsFiles are encrypted with the .puma file extension added to their original one. A ransom note, called readme.txt shows up in the folder with encrypted files.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .puma Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .puma Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.puma Files Virus – Update December 2018

There is a decrypter tool released for .puma, .pumax, and .pumas variants of STOP ransomware. The tool was released thanks to the Proof of Concept by AfshinZlfgh and Michael Gillespie’s finishing touches. You can download it via the .puma, .pumax, .pumas Decryption Tool link. The tool requires a pair of an original file and its encrypted version.

.puma Files Virus – Distribution Methods

The primary method of being spread that is used is believed to be via e-mail spam. These types of malspam messages are often used to convince the victim to manually download and run the infection file. To convince victims, the crooks often fake the attachments as if they were completely legitimate type of files, such as:

  • Invoices.
  • Receipts.
  • Order details.
  • Account security reports.
  • Something that is work-related.

In addition to this, you may encounter the infection file of this ransomware virus to be lying around uploaded on a suspicious third-party website. There, the virus may be masked as different desirable program for download, like:

  • Game patch.
  • Crackfix.
  • Online software activator.
  • Key generator.
  • %Portable version of a program.

.puma Files Virus – Activity

When the .puma ransomware infects your computer, the virus may immediately drop the payload files that conduct its malicious operations. These types of payload files are created in the commonly used Windows directories:

  • %AppData%
  • %Local%
  • %Temp%
  • %LocalLow%
  • %Roaming%

Among the files, dropped by the .puma files virus is the ransom note, named readme.txt. It contains the following message:

==================================!ATTENTION PLEASE!===========================================

Your databases, files, photos, documents and other important files are encrypted and have the extension: .puma
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
Only we can give you this key and only we can recover your files.
You need to contact us by e-mail pumarestore@india.com send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files – you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% available if you contact us first 72 hours.


E-mail address to contact us:

Reserve e-mail address to contact us:

Your personal id:

When the payload of the .puma files virus is dropped on the victims’ computer, the ransomware may begin to modify the Windows Registry Editor. This is conducted by creating multiple different registry entries that allow it to run files automatically or disable certain Windows defenses. These can be the following sub-keys:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop

These sub-keys may contain entries with data that could lead you to the actual location of the malicious files, belonging to .puma file ransomware.

In addition to this, the virus may begin to execute malicious scripts that may delete the backups of Windows and disable System Restore. The commands are usually entered as an administrator, which means that .puma Ransomware obtains administrator rights to do so. The commands may be the following and they may be entered in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

These stop commands are used to stop critical Windows services, such as Windows Defender, System Recovery and BITS, all of which could obstruct encryption.

.puma Files Virus Encryption Process

To encrypt the files on the compromised computer, the .puma file ransomware may use different types of encryption algorithms. These ciphers often turn out to be either AES or RSA encryption algorithms, but usage of newer and faster ciphers is also possible, like Salsa20, used by

GandCrab ransomware.

For the encryption process, the .puma files virus firstly scans your computer for documents, images, audio and video files and several other file types that are often used. The .puma files virus may scan the files and detect them, based on their file extensions:


After the virus detects the files, it may either directly tamper with them or delete the original ones and create encrypted copies of them, containing the .puma file suffix added to the file itself:

Remove .puma File Ransomware and Try Restoring Your Data

If you want to remove this ransomware virus from your computer, we do recommend that you backup your files beforehand, because the removal may be risky.

To try and remove .puma files virus manually, you can go ahead and follow the instructions we have set up for you below and use them in combination with the informaton about the virus we have written in this article. If manual removal is not the solution for you, experts often recommend removing ransomware viruses, like the .puma file variant automatically with the aid of an advanced anti-malware program. The main idea behind such software is to thoroughly scan your system for any .puma Ransomware – related files and objects and make sure that it is clean from all of them.

If you want to try and restore files, encrypted by the .puma files ransomware, we recommend that you attempt using the file recovery methods we have posted underneath. They come with no guarantee, but with their aid, you may be able to recover at least some of your encrypted files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share