PEDANT virus - How to remove

PEDANT virus is a new ransomware variant of another threat called Matrix. This threat works in the same principle as all other crypto viruses, by infecting the system, detecting all personal files, encrypting them with sophisticated cyphers and manipulating the user to buy the decryption key from the crooks for a certain amount of money in cryptocurrency. This is the worst kind of infection because even when the virus is removed, affected data still stays locked. What is more, there is no official decryptor developed for PEDANT virus yet.

Discovered and reported on February 13th, 2019 by the malware expert @demonslay335 PEDANT virus instantly attracted the attention of cyber specialists, because it became clear that this is the most recent version of Matrix ransomware, which is still to this day doesn’t have the decryptor, and at this point, prevention is the only way to protect the systems from PEDANT ransomware. However, if you have been attacked by this crypto infection, and your files now are marked with .PEDANT extension, don’t rush into paying crooks, because not only you risk wasting money for nothing and sponsoring hackers to release even more threats, but also there might be another way to get the locked data back, which you should try first. In this article, you will find all the details about the PEDANT virus, its processes and techniques on how to best remove it and potentially restore compromised files.

What does PEDANT virus do

Viruses like PEDANT, have a few features that place them under a ransomware category of malware. Not all crypto infections possess all of the characteristics, but as long as the principle is to gain something from the victim in exchange for the decryptor, the threat is called ransomware. Other examples are FCryptPlutoMaoloa. PEDANT virus works exactly as explained – it gets into the system, finds all the personal files, including pictures, videos, music, documents and other data except for the System files which are needed for the system to run properly, and encodes them by using AES-128 and RSA-2048 algorithms. After that ransomware drops a ransom note on user’s desktop, which states why the file names were changed, what happened to the system, why you cannot access your data anymore and how to reverse the process. 

PEDANT ransomware ransom note

PENDANT virus encrypted files get marked not only with the ‘.PENDANT’ string at the end of the name, but also prefix containing the crooks’ email ‘[email protected]’, and some variants were observed to rename affected files completely with virus generated unique IDs. This is done as a part of scareware and removing the extension from the encoded video/audio/etc name isn’t going to restore the function. But PENDANT ransomware will make sure to inform you about the current situation of your Windows by leaving the ‘!PEDANT_INFO!.rtf’ ransom note, that says:

HOW TO RECOVER YOUR FILES?

WE HAVE TO INFORM YOU THAT ALL YOUR FILES WERE ENCRYPTED!

PLEASE BE SURE THAT YOUR FILES ARE NOT BROKEN!
Your files were encrypted with AES-128+RSA-2048 crypto algorithms.
*Please note that there is no way to decrypt your files without unique decryption
key and special software. Your unique decryption key is securely stored on our
server.
*Please note that all the attempts to recover your files by yourself or using third
party tools will result only in irrevocable loss of your data!
*Please note that you can recover files only with your unique decryption key, which
stored on our server.

HOW TO RECOVER FILES?
Please write us to the e-mail, we will send you instruction how to recover your data.
Our main e-mail: [email protected]
Our secondary e-mail: [email protected]
Our secondary e-mail: [email protected]

Please write to our main e-mail. If you will not receive answer in 24 hours, please
write to our secondary e-mails! Please always check SPAM folder!
*Write on English or use professional translator

In subject line write your personal ID: [uniqueID]

For your assurance you can attach up to 3 small encrypted files to
your message. We will decrypt and send you decrypted files for free.
*Please note that files must not contain any valuable information and their
total size must be less than 5Mb.

Please don’t worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!

OUR HELP!
You have to pay for our help in Bitcoin Cryptocurrency.
Immediately after payment we will send you (by e-mail) automatic decryption tool
and your unique decryption key. You just have to start decryption tool on your
server and all files will be automatically decrypted. All original file names will be
restored too.

Although crooks are right and they are the only ones that know the decrypting key, which can unblock your files, it would be wrong to send a payment in exchange of that decrypter. It is unknown how much do they ask at the moment, but the amount can range between a few hundred to a few thousand dollars, Average being a $1000, cryptocurrency being used for anonymity. In order to get your data back, we do advise running a malware scanner, removing the PEDANT virus and restoring files from backups.

How does PEDANT virus spread

In order to install, PEDANT cryptovirus needs to be executed by the victim and for that, it has many tricks which are used to make the user voluntary initiate the infection without even knowing about it. It has been known that previous Matrix variants were actively spreading via Hacked remote desktop services, but one of the most popular techniques is Malspam and Macros. Crooks design a socially engineered email, pretending to be from an important sender, such as government, police, client, bank, healthcare facility or etc., and mention something alarming that would urge the user open the added attachment. There are tons of red flags which can indicate a planned malware attack but since the messages are rather well composed to cause stress and rush of other emotions, logical thinking barely works. So once the .docx or .pdf attachment is downloaded and opened by the targeted victim, it says that if you want to see the document, you must enable Macros.

Macros is a legitimate MS Office feature of prerecorded commands which can be automatically run in order to automate simple and complex tasks. It is often misused because crooks can very easily store a malicious code in there. That is why when you end up enabling Macros on the unknown files, viruses like the PEDANT ransomware can begin their infection. While the victim still wonders why the downloaded file does not contain any information, PEDANT virus has already begun its malicious deeds in the background. (More on the ransomware distribution via Macros).

How to remove PEDANT ransomware and recover files

Bottom line up front, at the moment it is impossible to decrypt files locked by PEDANT virus or any other Matrix ransomware variant. However, that does not mean that you cannot get your data back. But before we get into explanations on how to restore unavailable files, first, you need to remove the threat from your computer fully or else files will get double locked irreversibly. For the PEDANT ransomware elimination, we suggest running a full system scan with Spyhunter, Malwarebytes anti-spyware programs, which are able to detect and delete harmful files of the virus from all the directories, which sometimes are inaccessible for a regular user. These security tools are trustworthy and will for sure confirm that the compromised computer is free from PEDANT virus and recovery shall begin.

Unfortunately, a lot of these newer ransomware variants tend to delete snapshots of files, which could be used in order to bring back your data, but it is still worth a shot to check if it is possible to restore files from their Shadow Copies, as shown below in the instructions because sometimes PEDANT virus can malfunction too. In case this method does not work, we suggest performing system restore from the backups (see the guidelines below). Mind you, you should make sure to have them. Although backing up files is becoming more and more popular, there are still a lot of people that only start worrying about their data, once it gets hacked, not beforehand. If you belong to the latter, then the only thing after the removal that we can recommend is simply keeping compromised data stored somewhere in the computer and keep checking the official Nomoreransom.org site for the PEDANT virus decryptor.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover PEDANT virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Matrix has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of PEDANT virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Matrix. You can check other tools here.  

Step 3. Restore PEDANT virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Matrix tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover PEDANT virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *