A ransomware virus known as PEC 2017 ransomware, first detected at the beginning of May 2017 has been reported to encrypt files using the .pec file extension. The infection drops a .html file on the desktop of the victims computers in which it has instructions on how to pay a ransom in order to restore the encrypted files. In case you have been infected by the PEC 2017 ransomware virus, read this article to remove it from your computer and to try and recover your data.
.pec File Virus – What Does It Do
The PEC 2017 ransomware is created to primarily target Italian businesses. The virus aims to conceal its payload in documents that are portrayed as autobiography of someone applying for a job interview. In case your computer has been infected by this virus, one strong symptoms is that the files will have the .pec file extension added.
Upon infecting a given computer system, the PEC 2017 ransomware aims to modify the Windows Registry Editor. The ransomware targets the following Windows Registry sub-key:
In this key, a custom value string with the location of the malicious executable of PEC 2017 is added. This is done to run the executable on system startup. The malicious files of the PEC 2017 ransomware may be located in the following system folders:
- %Application Data%
- %System Drive%
After this has been done, the virus may drop it’s ransom note, one of the variants of which was detected to be in Italian (“AIUTO_COME_DECIFRARE_FILE.html”). The ransom note has the following content when translated:
Learn how to decrypt files
Your files have been encrypted by the PEC 2017 system with AES 256 encryption.
PEC is not decipherable by any software and no antivirus.
How to recover encrypted data
The only way to recover corrupted data is to purchase PEC CLEANER Recovery Software.
Once you have obtained the software, you will be able to recover and restore the corrupted files.
With the same software you can decrypt all damaged files even those on external or network disks.
Do not use any antivirus software or decrypt as not only ineffective, but may compromise data retention forever.
With PEC Cleaner, you can retrieve all your perfectly working and unexpected data.
How to Buy PEC CLEANER
Contact the decrypt software manufacturer to purchase the license and download the program:
Your unlock key is
The software will be available for download within 24 hours of your payment and will allow you to restore your data immediately.
The note is specifically created to scare off users so that they contact the cyber-criminals via the encrypted e-mail provider ProtonMail.
The encryption of PEC 2017 virus may include looking for important:
- Audio files.
- Image files.
- Database files.
- Files, related to often used programs, like Photoshop, Reader, etc.
After the encryption by PEC 2017 ransomware is complete, the virus leaves the files to appear with the following file extension:
- New Text Document.txt.pec
The files can no longer be opened and PEC 2017 virus makes sure their recovery is significantly more difficult by deleting them from the Windows Recovery and Windows Shadow Copies services.
PEC 2017 – How Did I Get Infected?
The malicious executable, carrying the infection is reported to be an .rtf type of file with an obfuscated code, meaning not all antivirus products can detect it, if it is new. Cyber-criminals invest a lot in obfuscation. This file may have different file names, for example one variant names it “nevia_ferrara_analista_contabile_eu.rtf”. This specific file uses the CVE-2017-0199 vulnerability to cause an infection while remaining undetected. The file may be sent via e-mail with subjects, such as CV, autobiography and others. When it is opened, the document displays a fake CV:
But what the victims fail to notice is that in the same time the documents asks victims to view it by enabling macros and this is how the infection occurs.
Remove .pec File Virus and Recover Your Files
If you want to remove this ransomware infection, feel free to follow the removal instructions below. However, if manual removal may present difficulty for you, security analysts always advise users to focus on downloading and advanced anti-malware tool to help you fully get rid of this virus. Another reason for this is that you will protect your computer in the future too. For the moment, there is no direct decryption of files encrypted by .pec ransomware. However, you can follow the alternative methods for file recovery below, to restore as many files as you can, while a decryptor arrives.
Booting in Safe Mode
1) Hold Windows Key and R
2) A run Window will appear, in it type “msconfig” and hit Enter
3) After the Window appears go to the Boot tab and select Safe Boot
Cut out PEC 2017 in Task Manager
1) Press CTRL+ESC+SHIFT at the same time.
2) Locate the “Processes” tab.
3) Locate the malicious process of PEC 2017, and end it’s task by right-clicking on it and clicking on “End Process”
Eliminate PEC 2017‘s Malicious Registries
For most Windows variants:
1) Hold Windows Button and R.
2) In the “Run” box type “Regedit” and hit “Enter”.
3) Hold CTRL+F keys and type PEC 2017 or the file name of the malicious executable of the virus which is usually located in %AppData%, %Temp%, %Local%, %Roaming% or %SystemDrive%.
4) After having located malicious registry objects, some of which are usually in the Run and RunOnce subkeys delete them ermanently and restart your computer. Here is how to find and delete keys for different versions.
For Windows 7: Open the Start Menu and in the search type and type regedit –> Open it. –> Hold CTRL + F buttons –> Type PEC 2017 Virus in the search field.
Win 8/10 users: Start Button –> Choose Run –> type regedit –> Hit Enter -> Press CTRL + F buttons. Type PEC 2017 in the search field.
Automatic Removal of PEC 2017
Recover files encrypted by the PEC 2017 Ransomware.
Method 1: Using Shadow Explorer. In case you have enabled File history on your Windows Machine one thing you can do is to use Shadow Explorer to get your files back. Unfortunately some ransomware viruses may delete those shadow volume copies with an administrative command to prevent you from doing just that.
Method 2: If you try to decrypt your files using third-party decryption tools. There are many antivirus providers who have decrypted multiple ransomware viruses the last couple of years and posted decryptors for them. Chances are if your ransomware virus uses the same encryption code used by a decryptable virus, you may get the files back. However, this is also not a guarantee, so you might want to try this method with copies of the original encrypted files, because if a third-party program tampers with their encrypted structure, they may be damaged permanently. Here are the vendors to look for:
Method 3: Using Data Recovery tools. This method is suggested by multiple experts in the field. It can be used to scan your hard drive’s sectors and hence scramble the encrypted files anew as if they were deleted. Most ransomware viruses usually delete a file and create an encrypted copy to prevent such programs for restoring the files, but not all are this sophisticated. So you may have a chance of restoring some of your files with this method. Here are several data recovery programs which you can try and restore at least some of your files: