Severity scale:  

Remove Tabufa ransomware (Removal Instructions) - Recovery Instructions Included

removal by Lucia Danes - - | Type: Ransomware

Tabufa ransomware is crypto malware that encrypts all personal files and drops how_to_back_files.html ransom note on the host device

Tabufa ransomware

Tabufa ransomware is a computer infection that targets photos, videos, documents, music, and other files on the device to lock them up with the help of RSA + AES or RSA + RC4 ciphers[1] and then demand ransom for the decryption tool. The amount varies from victim to victim, 

The malware stems from the infamous GlobeImposter 2.0 virus family, which was initially spotted back in April 2017, and since then released a variety of variants, reaching over 400 in numbers. This version uses .tabufa extension, which is appended at the end of each file. Since that point, users are unable to access any personal data that is located on the PC, apart from Programs and some other data.

Additionally, Tabufa virus also drops a ransom note how_to_back_files.html, which is simply a message from the ransomware developers. In it, users are explained that they need to email crooks via or and transfer money in Bitcoin in order to receive the decryptor.

Name Tabufa
Type Ransomware
Virus family GlobeImposter 2.0
File extension .tabufa
Ransom note  how_to_back_files.html
Contact or 
Infiltration  Spam emails, web injects, exploits, brute-forcing, fake updates, etc. 
File decryption Only available via third-party software if not backups are present
Removal Terminate the threat with the help of powerful security software
System recovery To restore damaged Windows OS files, scan your device with Reimage Reimage Cleaner Intego

Victims are also offered a free test decryption service for one file. This is a common technique used by hackers to ensure a false sense of security. However, experts recommend avoiding any contact with bad actors and instead focus on Tabufa ransomware removal. Currently, the virus is not decryptable, but we provide alternative file recovery solutions below. The mentioned ransom message states the following:

All your data has been ciphered!
The only way of recovering your files is to buy a unique decryptor.
A decryptor is fully automatic, all your data will be recovered within a few hours after it’s installation.

For purchasing a decryptor contact us by email:

If you will get no answer within 24 hours contact us by our alternate emails:

We assure full recovery after the payment.
To verify the possibility of the recovery of your files we can decipher 1 file for free.
Attach 1 file to the letter (no more than 5Mb). Indicate your personal ID on the letter:

In reply we will send you an deciphered file and an instruction for purchasing an automatic decryptor for all your files. After the payment we will send you a decryptor and an instructions for protecting your computer from network vulnerabilities..


There are a variety of techniques that Tabufa file virus authors use in order to infect the maximum number of victims worldwide. For example:

  • Spam email attachments and hyperlinks;
  • Exploit kits;[2]
  • Pirated software and its cracks;
  • Fake updates;
  • Unprotected RDP;
  • Web injects, etc.

Regardless of how the malware got into your machine, you need to remove Tabufa ransomware as quickly as possible. For that, we suggest you download and install reputable security software, such as SpyHunter 5Combo Cleaner or Malwarebytes. Nevertheless, be aware that not all AV engines might recognize the threat, so a scan with multiple solutions might be required.

Do not forget that Tabufa ransomware does not only encrypt .jpg, .pdf, .doc, .xtml, .html, .gif, .mp4, and other file types., but also affects Windows OS operation. For example, the virus deletes Shadow Volume copies to complicate the recovery process, modifies the registry, enables new startup items, deletes files, etc.

Therefore, you should also make sure you use Reimage Reimage Cleaner Intego or similar repair software to fix virus damage done to your operating system. After that, you can then attempt to recover files encrypted by Tabufa ransomware. Please check the bottom section of this article for alternative methods if you do not have backups prepared.

Tabufa ransomware virusTabufa ransomware is a type of malware that locks up all personal files on the computer and then demands Bitcoin payment for the decryption tool

Ransomware uses a variety of infection methods – here's how to protect yourself

Ransomware is possibly one of the most destructive malware families around due to the fact that the locked files do not get deciphered after its termination. In most cases, a scan with reputable anti-virus software would terminate the malware, as multiple AV vendors specialize on ransomware heavily, so its removal is usually not a problem. However, this would not recover the files back to normal because they are locked and require a unique key that is only accessible to actors. Despite that, security researchers always work on decryptors that would help victims retrieve their files for free.

Therefore, to avoid such an unfortunate situation, you should prevent the infection in the first place. Ensuring that your data is also stored on an external backup device or cloud-based storage would save the day, even if you do manage to get infected. These are the tips from industry experts,[3] so make sure to keep them in mind when using the computer on a daily basis:

  • Enable Firewall and install powerful anti-malware software with real-time protection feature;
  • Update your Windows operating system regularly;
  • Enable automatic updates for all the apps you have installed;
  • Avoid email attachments or hyperlinks. If needed, scan the file or the URL with tools like Virus Total;
  • Do not download pirated software or its cracks;
  • Use ad-blocker on high-risk sites.

Do not contact cybercriminals and delete Tabufa ransomware from your system

While there is no official decryptor developed by security researchers yet, you should not pay the ransom and rather remove Tabufa ransomware from your device. If you oblige, you might get scammed and lose the money altogether. Besides, paying hackers will only prove that the illegal business of ransomware works, and it will prompt them to expand their operations further, developing more advanced threats.

You should perform Tabufa ransomware removal in the Safe Mode with Networking, as in this way malware's operation will be temporarily disabled. Once in Safe Mode, perform a full system scan with anti-malware software – this should be enough to terminate the virus. If you had no backups, check out the bottom section of this article for alternative file recovery solutions.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Tabufa virus, follow these steps:

Remove Tabufa using Safe Mode with Networking

To ensure prompt Tabufa ransomware removal, enter Safe Mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Tabufa

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Tabufa removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Tabufa using System Restore

You can also use System Restore to terminate the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Tabufa. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that Tabufa removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Tabufa from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Tabufa, you can use several methods to restore them:

Make use of Data Recovery Pro

Data Recovery Pro is an excellent tool that might recover even those files that were enciphered by ransomware.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Tabufa ransomware;
  • Restore them.

Windows Previous Versions feature might be useful

This recovery method will only work if you had System Restore enabled before Tabufa infected your PC.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might retrieve all your data

This tool should be able to recover all the encrypted data if the virus failed to delete Shadow Volumes.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryptor is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Tabufa and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions


Your opinion regarding Tabufa ransomware