Complete Fluffy-TAR Ransomware Removal Guide

How to Remove Fluffy-TAR Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

What’s happening?
Oh no! Fuffy-TAR has encrypted some of your files! It means they are not lost, but cannot be used until decrypted.
They are “locked”, you could say. If you see a file which name ends with “lock75”, it means this file is encrypted. The process iseasily reversible but requires a key.
What do I do?
To get your files back, you must buy the decryption key. This payment must be done in Bitcoins, a cryptographic currency. Bitcoin is becoming more and more acessible and nowadays, it is really easy to use bitcoins. See the online interface (button below) for a more detailed introduction to bitcoins.
To get your files back, please send exactly (or more if you want) 0.039 Bitcoins to this address, BEFORE the countdown below ends:
[1D4yXNh45nur1KVNqnPZ5T7nep5Y1KDbwx] Uppercase/lowercase matter! Make sure you send to the right address! (you can scan the QR code to copy it)
After sending the payment, wait an hour then click the “Retrieve key automatically” button below.
The software will then receive the key and decrypt ALL encrypted files.
Without the key, it is impossible to decrypt your files. Without the proper payment, it is impossible to get the key.
When the countdown reaches zero, you will lose all encrypted documents.
Please note: If you have an antivirus, disable it now if you don’t want to lose your data.
[Decrypt one file for free] [Francais] [Detailed info and manual key retrieving] [Retrieve key automatically]

Fluffy-TAR is the latest member of the ransomware family. It adds the “.lock75” suffix at the end of all encrypted files, hence, this virus is also known as the Lock75 ransomware. Despite its cute name, Fluffy-TAR should not be underestimated. The ransomware infection is one of the worst cyber threats. Once on board, this pest will wreck your system. It uses the AES256 and RSA encrypting algorithms to lock your files. Fluffy-TAR has a ransom note written in both, English and French. Security experts believe that this suggests that the virus mainly targets Europe and North America. However, we can speculate even further. Fluffy-TAR demands only 0.039Bitcoins (about 47 USD) as a ransom, which is a relatively modest sum, therefore, we can conclude that the ransomware is actually targeting much wider spectrum of potential victims. Let’s not forget that this parasite is still under development. The next versions of the virus may have ransom note translated into more languages. Fluffy-TAR employs several well-known ransomware tactics. It has a countdown clock, to scare its victims; common encoding tools (the strongest possible, of course); and last but not least, a payment system that is a total rip-off of other ransomware. Well, generally, cyber criminals don’t care about intellectual rights. They share well-working strategies between each other. All these jokes aside, let’s focus on the virus.

How did I get infected with?

You must have heard it a thousand times, but let’s say it again. Don’t open emails from unknown senders. Scammers are very imaginative nowadays. They tend to write on behalf of well-known organizations and companies. They will do anything to lure you into downloading an attached file. Be vigilant and doubtful! Check the sender’s contacts before opening a letter. You can do so by entering the questionable email address into some search engine. If this email was used for shady business, someone must have complained about it online. This method, however, is not flawless. Always judge the situation for yourself. We can give you one more tip for checking suspicious email addresses. If you receive a letter from a company, visit their official website. There, under the contact section, you will be able to find their official email address. Compare it with the one you have received a letter from. If they don’t match, delete the spam message immediately. In addition, stay away from suspicious websites and torrents. Your computer’s security is your responsibility and yours only. Little extra caution can spare you tons of troubles.

Why is Fluffy-TAR dangerous?

Fluffy-TAR can encrypt more than a hundred file formats. It will lock your pictures, documents, archives and presentation. You will be able to see the icons of those files, yet, you won’t be able to open or use them. To unlock your files, you must use a special decryption key. Be that as it may, the key will coast you money and nerves. After a successful payment of the ransom, you must wait about an hour. However, no one can guarantee you that the crooks will send you a working key, if they send you anything at all. You are dealing with cyber criminals, after all. Don’t expect them to play fair. There are cases where the victims paid the ransom but didn’t receive decryption tools. Therefore, we strongly advise to refrain yourself from paying the ransom. Don’t sponsor criminals. Think of this as a battle against cyber crimes. If no one is paying, crooks won’t have money to fund their shady business. Besides, if you are lucky, you may have shadow copies of your files. You can use them to restore your documents without paying the ransom. Be aware that by restoring your file you are not removing the virus! Before you tempt anything, track the virus down and delete it! Otherwise, you risk getting your newly restored files getting encrypted. Use a trustworthy anti-virus to scan your system and delete all malicious files. Of course, you can use our guide to do it manually.

Fluffy-TAR Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Fluffy-TAR Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

• Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
• Locate the process of the ransomware. Have in mind that this is usually a random generated file.
• Before you kill the process, type the name on a text document for later reference.

• Locate any suspicious processes associated with Fluffy-TAR encryption Virus.
• Right click on the process
• Open File Location
• End Process
• Delete the directories with the suspicious files.
• Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

• Open any folder
• Click on “Organize” button
  
• Choose “Folder and Search Options”
• Select the “View” tab
• Select “Show hidden files and folders” option
• Uncheck “Hide protected operating system files”
• Click “Apply” and “OK” button

STEP 3: Locate Fluffy-TAR encryption Virus startup location

• Once the operating system loads press simultaneously the Windows Logo Button and the R key.

• A dialog box should open. Type “Regedit”
• WARNING! be very careful when editing the Microsoft Windows Registry as this may render the system broken.

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

• and delete the display Name: [RANDOM]

• Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

• Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

• Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
• Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.