.tfude Files Virus - How to Remove It (+ Decrypt Files)

.tfude Files Virus – How to Remove It (+ Decrypt Files)

This article has been created in order to best explain what is the .tfude files virus and how you can remove it from your computer plus how you can try and restore files encoded with the .tfude file extension.

A new form of ransomware virus, going by the file extension .tfude has been detected by security experts. The virus is part of the

.Djvu ransomware wave that has been hitting users vigorously the last few months. The ransomware shares the same code as the previously detected STOP ransomware virus. It’s main purpose is to encrypt the files on the computer systems that are compromised by it and then set the .tfude file extension after their original one. The ransomware also drops an _openme.txt file, whose main goal is to inform victims that their systems are attacked. If your computer has suffered an attack by the .tfude files virus, we would suggest that you read the article underneath.

Threat Summary

Name.tfude Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the compromised computer and then asks the victim to pay ransom in cryptocurrencies to get their files to work again.
SymptomsThe files on the infected machine cannot be opened and have the .tfude suffix added to them. A ransom note, called _openme.txt is also dropped on the computer of the victim.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .tfude Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .tfude Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.tfude Ransomware – Update January 2019

There is a decrypter tool released for STOP ransomware’s .tfude Ransomware variant. The tool was initially released for the .puma, .pumax, .pumas versions of the cryptovirus. Michael Gillespie has updated it to also support .djvu, .djvuq, .djvur, .djvut, .djvuu, .pdff, .tfude, .tfudeq, .tro, .udjvu, .tfudet. You can download the tool via the Decryption Tool link here. The tool requires a pair of an original file and its encrypted version.

.tfude Ransomware – How Does It Infect

There is more than one distribution method that may be associated with the .tfude ransomware. The virus infects by two main infection objects:

  • Malicious files disguised as legitimate ones.
  • Web links that the victim is either redirected to or clicks on.

If the infection with the .tfude ransomware virus commences via malicious files, it may be done in the following ways:

  • Via e-mail that is sent to the victim, which disguises the e-mail attachments as legitimate documents, like invoices, recepts, etc.
  • Via the malicious file being uploaded online and pretending to be a setup of a program or patch, crack and other forms of license activation executables.

If the infection commences via a malicious web links, this is usually done as a result of a JavaScript code that is malicious and aims to infect users as a result of getting them to click on fake buttons or the links themselves. In some cases, the crooks may use an adware or another program that may cause browser re-directions and infect your computer with the .tfude ransomware automatically.

.tfude Ransomware – More Information

Once the .tfude ransomware virus has infected a certain computer, the malware may drop it’s main payload fils on the computrs of victims. They may be hidden behind different names and may exist in the following directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Once the malicious files on the victim PC are dropped, the user may start to see the ransom note file on his computer. It is called _openme.txt and has the following ransom message:

———————————————- ALL YOUR FILES ARE ENCRYPTED ———————————————–

Don’t worry, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information
Don’t try to use third-party decrypt tools because it will destroy your files.
Discount 50% available if you contact us first 72 hours.


To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:
[redacted 43 alphanumeric chars]

In addition to this, the .tfude ransomware virus may also begin to modify the Windows Registry Editor of the infected computer by adding registry values in Windows. These values are often focused on automatically running the ransom note and the encryption module of the ransomware. They may be located in the Run and RunOnce sub-keys of the Winbdows Registry Editor as shown below:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to modifying the Registry Editor, the .tfude ransomware virus may also delete the shadow copies of the infected computer. This is done to eliminate any chances of using Windows Recovery service to restore previous versions of your files. To do this, the .tfude ransomware may execute the following commands in an Administrator command prompt:

→sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.tfude Ransomware – Encryption Process

When it comes down to encrypting files of victims, the .tfude ransomware has clever scanning features. The malware skips all of the important Windows files and directories, but it scans for and encrypts any:

  • Audio files.
  • Videos.
  • Images.
  • Documents.
  • Backup file types.
  • Virtual drives.
  • Virtual signatures.
  • Banking files.

The virus does this with the main goal of getting victims to still be able to use their computer to pay the ransom. In addition to this, the .tfude ransomware uses the combination of AES and RSA encryption algorithms, which is typical for most ransomware viruses. The .tfude virus may encrypt the files, using the AES cipher and then lock the encryption key with the RSA-1024 encryption algorithm. After encryption, .tfude ransomware adds the .tfude file extension to the encrypted files and they assume the following appearance:

Remove .tfude Ransomware and Try Recovering Your Files

Before you begin to remove the .tfude ransowmare virus from your computer, we would suggest that you backup your files, even if they are encrypted. In this way, you minimise the chance of breaking them indefinitely as they are now only locked temporarily.

For the removal of .tfude ransomware, we would advise you to follow the removal manual that is underneath this article. It has been created with the main purpose of making it easy for you to use the information in this article to remove the virus either manually or automatically. If the first two removal steps for manual deletion do not seem to help out, then we have a backup plan that will help you remove the malicious files automatically. Such software aims to scan your computer for any .tfude malicious files and objects and remove them automatically to secure your PC against future infections as well.

If you want to try and resotre as many encrypted files as possible, we would recommend that you try out the “try to restore” step from the instructions below. It contains several methods that might help you out, even though they come with no guarantee.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

1 Comment

  1. AvatarCorben

    j’ai été infecté par Ftudet
    j’ai du reformater mon ordi mais il a contaminé mon disque dur de 3Tr ou j’ai tout mes films vidéos ainsi que document important Word excel
    j’aimerai être sur et certain que le programme SypHunter supprimera ce TFUDET!!!
    je sais sur votre site vous écricez TFUDE
    Mais moi j’ai comme extention des vidéos excel Word ex (: mkv.TFUDET ). et je récupérerai toutes mes vidéos et un fichier TXT dans chaques dossiers _openme
    Pouvez vous m’aidez SVP

    Merci d’avance


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share