Threat Database Ransomware '.PUMA File Extension' Ransomware

'.PUMA File Extension' Ransomware

By GoldSparrow in Ransomware

The '.PUMA File Extension' Ransomware is an encryption ransomware Trojan. The '.PUMA File Extension' Ransomware is distributed through cracked versions of the Windows 7 and the Windows 10 currently. The '.PUMA File Extension' Ransomware, like most encryption ransomware Trojans, is programmed to take the files hostage, encipher them with a strong encryption algorithm and then demand a ransom payment from the victim.

Symptoms of a '.PUMA File Extension' Ransomware Infection

The '.PUMA File Extension' Ransomware runs on the infected computer as an executable named 'km0TTTU1Ig.exe.' The '.PUMA File Extension' Ransomware's attack uses the AES encryption to make the victim's files inaccessible, targeting the user-generated files, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '.PUMA File Extension' Ransomware adds the file extension '.PUMA' to each file it encrypts in its attack.

The '.PUMA File Extension' Ransomware's Ransom Demand

The '.PUMA File Extension' Ransomware delivers a ransom note to the victim's computer when it finishes the files' encryption. The '.PUMA File Extension' Ransomware's ransom demand takes the form of a text file named '!readme.txt,' which contains the following message:

Your databases, files, photos, documents and other important files are encrypted and have the extension: .puma
The only method of recovering files is to purchase an decrypt software and unique private key.
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data. Only we can give you this key and only we can recover your files.
You need to contact us by e-mail send us your personal ID and wait for further instructions.
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
Discount 50% available if you contact us first 72 hours.
E-mail address to contact us:
Reserve e-mail address to Contact us:
Your personal id:
[random characters]'

Unfortunately, after the '.PUMA File Extension' Ransomware finishes encrypting the targeted files, these files cannot be decrypted without the decryption key. This is what makes the best protection against the '.PUMA File Extension' Ransomware and similar threats to have the means to restore the affected files from another source, such as having backup copies stored on places protected by passwords. Since the '.PUMA File Extension' Ransomware is being distributed to the victims through pirated software, you need to know that this content is illegal and downloading and installing it carries a high risk of a malware infection, such as the '.PUMA File Extension' Ransomware and other ransomware Trojans.

Update November 28th, 2018 —’.pumax File Extension’ Ransomware

The '.pumax File Extension' Ransomware is a not a recent cyber-threat but a new variant of the '.PUMA File Extension' Ransomware. The name '.pumax File Extension' Ransomware is simply a working tag given by cybersecurity researchers to the new variant. In addition, there appears to be a third variant (speaking chronologically) that uses the '.pumas' file extension to mark the encrypted files. Both variants — PUMAX and PUMAS, emerged with incident reports on November 24th, 2018. The threat authors may be struggling to produce a ransomware Trojan that can evade detection judging by the low infection ratio for the '.pumax File Extension' Ransomware and the '.pumas File Extension' Ransomware. The threat actors continue to send spam emails to the users and appear to have modest success. The data affected by these Trojans is likely to feature one of two extensions as mentioned previously. Depending on the variant that compromised your system 'Sample.docx' may be renamed to Sample.docx.pumas and 'Sample.docx.pumax.'

The ransom note remains the same, and there are no changes to either the email account — '' and the ransom note title — '!readme.txt.' There is good news for PC users that may have been affected by the '.pumax File Extension' Ransomware. A programmer going under the name @AfshinZlfgh on has made a decryptor in Python that users may want to try out. The Python decryptor for the '.pumax File Extension' Ransomware can be found at Please, note that the decryptor may require a basic level of Python knowledge and you may wish to seek help from a computer technician to run the program. Also, the decryptor made by @AfshinZlfgh may not be compatible with updated versions of the '.pumax File Extension' Ransomware and the '.pumas File Extension' Ransomware. You should use a backup service to restore your data if you are using something like Google Drive, Dropbox or dedicated software. Detection names for the '.pumax' and the '.pumas' variants include:

Win32:MalwareX-gen [Trj]
malicious_confidence_90% (W)
a variant of Win32/Kryptik.GNAI
Trojan ( 00541e221 )


Most Viewed