Severity scale:  
  (98/100)

Tabufa ransomware. How to remove? (Uninstall guide)

removal by Lucia Danes - - | Type: Ransomware

Tabufa ransomware is crypto malware that encrypts all personal files and drops how_to_back_files.html ransom note on the host device

Tabufa ransomware
Tabufa ransomware is a file locking virus that hails from GoleImposter 2.0 family. Unfortunately, this variant is currently not decryptable

Tabufa ransomware is a computer infection that targets photos, videos, documents, music, and other files on the device to lock them up with the help of RSA + AES or RSA + RC4 ciphers[1] and then demand ransom for the decryption tool. The amount varies from victim to victim, 

The malware stems from the infamous GlobeImposter 2.0 virus family, which was initially spotted back in April 2017, and since then released a variety of variants, reaching over 400 in numbers. This version uses .tabufa extension, which is appended at the end of each file. Since that point, users are unable to access any personal data that is located on the PC, apart from Programs and some other data.

Additionally, Tabufa virus also drops a ransom note how_to_back_files.html, which is simply a message from the ransomware developers. In it, users are explained that they need to email crooks via tabufa@protonmail.com or tabufa@airmail.cc and transfer money in Bitcoin in order to receive the decryptor.

Name Tabufa
Type Ransomware
Virus family GlobeImposter 2.0
File extension .tabufa
Ransom note  how_to_back_files.html
Contact  tabufa@protonmail.com or tabufa@airmail.cc 
Infiltration  Spam emails, web injects, exploits, brute-forcing, fake updates, etc. 
File decryption Only available via third-party software if not backups are present
Removal Terminate the threat with the help of powerful security software
System recovery To restore damaged Windows OS files, scan your device with Reimage

Victims are also offered a free test decryption service for one file. This is a common technique used by hackers to ensure a false sense of security. However, experts recommend avoiding any contact with bad actors and instead focus on Tabufa ransomware removal. Currently, the virus is not decryptable, but we provide alternative file recovery solutions below. The mentioned ransom message states the following:

All your data has been ciphered!
The only way of recovering your files is to buy a unique decryptor.
A decryptor is fully automatic, all your data will be recovered within a few hours after it’s installation.

For purchasing a decryptor contact us by email:
tabufa@protonmail.com

If you will get no answer within 24 hours contact us by our alternate emails:
tabufa@airmail.cc

We assure full recovery after the payment.
To verify the possibility of the recovery of your files we can decipher 1 file for free.
Attach 1 file to the letter (no more than 5Mb). Indicate your personal ID on the letter:

In reply we will send you an deciphered file and an instruction for purchasing an automatic decryptor for all your files. After the payment we will send you a decryptor and an instructions for protecting your computer from network vulnerabilities..

<…>

There are a variety of techniques that Tabufa file virus authors use in order to infect the maximum number of victims worldwide. For example:

  • Spam email attachments and hyperlinks;
  • Exploit kits;[2]
  • Pirated software and its cracks;
  • Fake updates;
  • Unprotected RDP;
  • Web injects, etc.

Regardless of how the malware got into your machine, you need to remove Tabufa ransomware as quickly as possible. For that, we suggest you download and install reputable security software, such as SpyHunterCombo Cleaner or Malwarebytes Malwarebytes. Nevertheless, be aware that not all AV engines might recognize the threat, so a scan with multiple solutions might be required.

Do not forget that Tabufa ransomware does not only encrypt .jpg, .pdf, .doc, .xtml, .html, .gif, .mp4, and other file types., but also affects Windows OS operation. For example, the virus deletes Shadow Volume copies to complicate the recovery process, modifies the registry, enables new startup items, deletes files, etc.

Therefore, you should also make sure you use Reimage or similar repair software to fix virus damage done to your operating system. After that, you can then attempt to recover files encrypted by Tabufa ransomware. Please check the bottom section of this article for alternative methods if you do not have backups prepared.

Ransomware uses a variety of infection methods – here's how to protect yourself

Ransomware is possibly one of the most destructive malware families around due to the fact that the locked files do not get deciphered after its termination. In most cases, a scan with reputable anti-virus software would terminate the malware, as multiple AV vendors specialize on ransomware heavily, so its removal is usually not a problem. However, this would not recover the files back to normal because they are locked and require a unique key that is only accessible to actors. Despite that, security researchers always work on decryptors that would help victims retrieve their files for free.

Therefore, to avoid such an unfortunate situation, you should prevent the infection in the first place. Ensuring that your data is also stored on an external backup device or cloud-based storage would save the day, even if you do manage to get infected. These are the tips from industry experts,[3] so make sure to keep them in mind when using the computer on a daily basis:

  • Enable Firewall and install powerful anti-malware software with real-time protection feature;
  • Update your Windows operating system regularly;
  • Enable automatic updates for all the apps you have installed;
  • Avoid email attachments or hyperlinks. If needed, scan the file or the URL with tools like Virus Total;
  • Do not download pirated software or its cracks;
  • Use ad-blocker on high-risk sites.

Do not contact cybercriminals and delete Tabufa ransomware from your system

While there is no official decryptor developed by security researchers yet, you should not pay the ransom and rather remove Tabufa ransomware from your device. If you oblige, you might get scammed and lose the money altogether. Besides, paying hackers will only prove that the illegal business of ransomware works, and it will prompt them to expand their operations further, developing more advanced threats.

You should perform Tabufa ransomware removal in the Safe Mode with Networking, as in this way malware's operation will be temporarily disabled. Once in Safe Mode, perform a full system scan with anti-malware software – this should be enough to terminate the virus. If you had no backups, check out the bottom section of this article for alternative file recovery solutions.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with SpyHunter.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Tabufa virus, follow these steps:

Remove Tabufa using Safe Mode with Networking

To ensure prompt Tabufa ransomware removal, enter Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Tabufa

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Tabufa removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Tabufa using System Restore

You can also use System Restore to terminate the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Tabufa. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Tabufa removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Tabufa from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Tabufa, you can use several methods to restore them:

Make use of Data Recovery Pro

Data Recovery Pro is an excellent tool that might recover even those files that were enciphered by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Tabufa ransomware;
  • Restore them.

Windows Previous Versions feature might be useful

This recovery method will only work if you had System Restore enabled before Tabufa infected your PC.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might retrieve all your data

This tool should be able to recover all the encrypted data if the virus failed to delete Shadow Volumes.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Tabufa and other ransomwares, use a reputable anti-spyware, such as Reimage, SpyHunterCombo Cleaner or Malwarebytes Malwarebytes

About the author

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References


Your opinion regarding Tabufa ransomware