Tabufa ransomware (Removal Instructions) - Recovery Instructions Included

Tabufa virus Removal Guide

What is Tabufa ransomware?

Tabufa ransomware is crypto malware that encrypts all personal files and drops how_to_back_files.html ransom note on the host device

Tabufa ransomwareTabufa ransomware is a file locking virus that hails from GoleImposter 2.0 family. Unfortunately, this variant is currently not decryptable

Tabufa ransomware is a computer infection that targets photos, videos, documents, music, and other files on the device to lock them up with the help of RSA + AES or RSA + RC4 ciphers[1] and then demand ransom for the decryption tool. The amount varies from victim to victim,

The malware stems from the infamous GlobeImposter 2.0 virus family, which was initially spotted back in April 2017, and since then released a variety of variants, reaching over 400 in numbers. This version uses .tabufa extension, which is appended at the end of each file. Since that point, users are unable to access any personal data that is located on the PC, apart from Programs and some other data.

Additionally, Tabufa virus also drops a ransom note how_to_back_files.html, which is simply a message from the ransomware developers. In it, users are explained that they need to email crooks via or and transfer money in Bitcoin in order to receive the decryptor.

Name Tabufa
Type Ransomware
Virus family GlobeImposter 2.0
File extension .tabufa
Ransom note how_to_back_files.html
Contact or
Infiltration Spam emails, web injects, exploits, brute-forcing, fake updates, etc.
File decryption Only available via third-party software if not backups are present
Removal Terminate the threat with the help of powerful security software
System recovery To restore damaged Windows OS files, scan your device with FortectIntego

Victims are also offered a free test decryption service for one file. This is a common technique used by hackers to ensure a false sense of security. However, experts recommend avoiding any contact with bad actors and instead focus on Tabufa ransomware removal. Currently, the virus is not decryptable, but we provide alternative file recovery solutions below. The mentioned ransom message states the following:

All your data has been ciphered!
The only way of recovering your files is to buy a unique decryptor.
A decryptor is fully automatic, all your data will be recovered within a few hours after it’s installation.

For purchasing a decryptor contact us by email:

If you will get no answer within 24 hours contact us by our alternate emails:

We assure full recovery after the payment.
To verify the possibility of the recovery of your files we can decipher 1 file for free.
Attach 1 file to the letter (no more than 5Mb). Indicate your personal ID on the letter:

In reply we will send you an deciphered file and an instruction for purchasing an automatic decryptor for all your files. After the payment we will send you a decryptor and an instructions for protecting your computer from network vulnerabilities..


There are a variety of techniques that Tabufa file virus authors use in order to infect the maximum number of victims worldwide. For example:

  • Spam email attachments and hyperlinks;
  • Exploit kits;[2]
  • Pirated software and its cracks;
  • Fake updates;
  • Unprotected RDP;
  • Web injects, etc.

Regardless of how the malware got into your machine, you need to remove Tabufa ransomware as quickly as possible. For that, we suggest you download and install reputable security software, such as SpyHunter 5Combo Cleaner or Malwarebytes. Nevertheless, be aware that not all AV engines might recognize the threat, so a scan with multiple solutions might be required.

Do not forget that Tabufa ransomware does not only encrypt .jpg, .pdf, .doc, .xtml, .html, .gif, .mp4, and other file types., but also affects Windows OS operation. For example, the virus deletes Shadow Volume copies to complicate the recovery process, modifies the registry, enables new startup items, deletes files, etc.

Therefore, you should also make sure you use FortectIntego or similar repair software to fix virus damage done to your operating system. After that, you can then attempt to recover files encrypted by Tabufa ransomware. Please check the bottom section of this article for alternative methods if you do not have backups prepared.

Tabufa ransomware virusTabufa ransomware is a type of malware that locks up all personal files on the computer and then demands Bitcoin payment for the decryption tool

Ransomware uses a variety of infection methods – here's how to protect yourself

Ransomware is possibly one of the most destructive malware families around due to the fact that the locked files do not get deciphered after its termination. In most cases, a scan with reputable anti-virus software would terminate the malware, as multiple AV vendors specialize on ransomware heavily, so its removal is usually not a problem. However, this would not recover the files back to normal because they are locked and require a unique key that is only accessible to actors. Despite that, security researchers always work on decryptors that would help victims retrieve their files for free.

Therefore, to avoid such an unfortunate situation, you should prevent the infection in the first place. Ensuring that your data is also stored on an external backup device or cloud-based storage would save the day, even if you do manage to get infected. These are the tips from industry experts,[3] so make sure to keep them in mind when using the computer on a daily basis:

  • Enable Firewall and install powerful anti-malware software with real-time protection feature;
  • Update your Windows operating system regularly;
  • Enable automatic updates for all the apps you have installed;
  • Avoid email attachments or hyperlinks. If needed, scan the file or the URL with tools like Virus Total;
  • Do not download pirated software or its cracks;
  • Use ad-blocker on high-risk sites.

Do not contact cybercriminals and delete Tabufa ransomware from your system

While there is no official decryptor developed by security researchers yet, you should not pay the ransom and rather remove Tabufa ransomware from your device. If you oblige, you might get scammed and lose the money altogether. Besides, paying hackers will only prove that the illegal business of ransomware works, and it will prompt them to expand their operations further, developing more advanced threats.

You should perform Tabufa ransomware removal in the Safe Mode with Networking, as in this way malware's operation will be temporarily disabled. Once in Safe Mode, perform a full system scan with anti-malware software – this should be enough to terminate the virus. If you had no backups, check out the bottom section of this article for alternative file recovery solutions.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Tabufa virus. Follow these steps

Manual removal using Safe Mode

To ensure prompt Tabufa ransomware removal, enter Safe Mode with Networking:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Tabufa using System Restore

You can also use System Restore to terminate the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Tabufa. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Tabufa removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Tabufa from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Tabufa, you can use several methods to restore them:

Make use of Data Recovery Pro

Data Recovery Pro is an excellent tool that might recover even those files that were enciphered by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Tabufa ransomware;
  • Restore them.

Windows Previous Versions feature might be useful

This recovery method will only work if you had System Restore enabled before Tabufa infected your PC.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might retrieve all your data

This tool should be able to recover all the encrypted data if the virus failed to delete Shadow Volumes.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Tabufa and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions