Remove Bufas Ransomware Virus (+File Recovery)

How to Remove Bufas Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

     Don’t worry my friend, you can return all your files!
    All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
    The only method of recovering files is to purchase decrypt tool and unique key for you.
    This software will decrypt all your encrypted files.
    What guarantees you have?
    You can send one of your encrypted file from your PC and we decrypt it for free.
    But we can decrypt only 1 file for free. File must not contain valuable information.
    You can get and look video overview decrypt tool:
    Price of private key and decrypt software is $980.
    Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
    Please note that you’ll never restore your data without payment.
    Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

    To get this software you need write on our e-mail:

    Reserve e-mail address to contact us:

Bufas ransomware is yet another variant of the DJVU (STOP) ransomware. This nasty virus sneaks into your computer and corrupts your data. You are dealing with a dangerous intruder. As soon as it invades your PC, corruption follows. The ransomware alters settings, modifies the registry, drops malicious files and starts dangerous processes. This, of course, happens without any noticeable symptoms. Bufas is designed to be stealthy. It lurks in the shadows and works against you. The virus has only one purpose: to cause harm. It serves the interests of its criminal creators. The ransomware is after the user-generated data. It targets your pictures, music, videos, databases, archives. Bufas wastes no time and encrypts your files with strong encrypting algorithms. You can recognize the corrupted files by the “.bufas” extension which the ransomware adds at the end of the successfully locked files. You can still see the icons of your files, but you cannot view or edit them. The ransomware promises a solution if you pay up. It drops a file named “_readme.txt” on your desktop. That’s its ransom note. It explains the situation and lists the hackers’ demands. The criminals want $490 paid in Bitcoin. They threaten to double the amount if you fail to start the transaction within 72 hours. Do not swing into action, though. This psychological trick pushes you into impulsive actions. Slow things down. Take a minute to consider the situation. Paying does not guarantee anything. The hackers tend to ignore their victims once they receive the ransom. Consider discarding your files.

How did I get infected with?

Torrents, fake updates, corrupted links, malicious websites, spam messages. You can never know where a virus might strike from. There are numerous virus distribution tricks. And Bufas uses all known strategies. This ransomware lurks in the shadows and attacks when you least expect it. Do not make its job easier. The virus infects your PC when you throw caution to the wind. Your vigilance, on the other hand, can keep your PC free of infections. Even a little extra attention can spare you an avalanche of issues. So, don’t be lazy. Always take the time to do your due diligence. Don’t visit questionable websites. Download software and updates from reputable websites only. When available, use the advanced/custom setup option. And be very careful with your inbox. Whether it’s an email or an instant message, treat all unexpected messages as potential threats. Always verify the senders. If, for example, you receive an email from an organization, go to their official website. Compare email addresses listed there to the questionable one. If they don’t match, delete the pretender. You can also enter the suspicious email addresses into a search engine. If they were used for questionable activities, someone might have complained.

Remove Bufas

Why is Bufas dangerous?

Bufas ransomware is a nightmare. It slithers into your computer and corrupts your files. Every picture, every document, every archive, everything gets the .bufas extension. The ransomware gets your data under lock and key and drops its ransom note. Do not panic! You are in a bad situation. There is no third-party decryption tool for this ransomware, yet. Paying the ransom, however, won’t accomplish anything. The hackers are known to not keep their part of the deal. They often ignore the victims once they receive the money. There are cases when the victims paid just to be blackmailed for more. Even if you receive a decryption tool, it might be nonfunctional. You cannot ask for a refund if something goes wrong. You are dealing with experienced criminals. They demand Bitcoin. This cyber currency is untraceable. Once you transfer the money, they are gone forever. Don’t act impulsively! You’ve fallen victim to a dangerous virus. Don’t help its publishers develop their criminal activities!

Bufas Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Bufas Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.


  • Locate any suspicious processes associated with Bufas encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Bufas encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.


Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment