Bufas ransomware – How to remove it from your system


Understanding .Bufas File Virus

What does the suffix .bufas in your file name means? How does the Bufas ransomware make your files unusable? Is your system safe and secure? Is it as dangerous as other STOP ransomware? The article below will guide you on how to remove Bufas ransomware from your system?


A tech savvy mind doesn’t need any words to understand the working methodology of Bufas ransomware. Like its siblings, it causes menace by targeting particular file types and making them unusable.

Discovered in mid May 2019, developers have a strong financial motive behind this crypto virus attack. In order to fulfil this nasty idea, .bufas file virus uses a powerful cryptography to encrypt the important data on your system. Once the files are corrupted, it generates a unique decryption key on the remote server for every Bufas file. Without this decryption key, Bufas file recovery is a challenging task. However, not impossible!

This key is used by hackers to blackmail the victims to extort large amount of money. Cyber crooks threaten the victims for permanent data loss, in case if they fail to make the payment in bitcoins. With the fear of losing the important/ personal data, victims get ready to pay the demanded amount. However, reality is way different!

Even after completing the transaction, there is no guarantee that hackers will enable the decryption key. According to researches, these hackers might ignore you after receiving the ransom amount. Hence, instead of supporting this evil, aim at culminating it!

Below you can find the simple and easy steps to fix the malicious Bufas ransomware.

Threat Summary

Name Bufas virus
Type Ransomware
Category Malware
Targeted OS Windows
Targeted Bowser Google Chrome, Internet Explorer, Mozilla Firefox

Distribution Technique

There are various ways in which .Bufas file virus can proliferate itself in your system. Alike other STOP ransomware, it uses the common tactics of distribution.

One of the easiest ways by which, Bufas land on your system is, via spam campaigns. In such attack campaigns, cyber criminals send an e-mail with malicious attachments. The e-mail look legitimate however the danger lies within the content or attachment. Its legitimacy is the second major reason, why user does not hesitate before opening these attachments. First is that, the subject line of such e-mails, made them appear trustworthy. Once, you open this attachment, the malicious file triggers the ransomware payload and infects your system with Bufas extension virus. Apart from the malicious advertisements, developers insert hyperlinks in the content of e-mail. These links redirects the user to some questionable sites.

Usually, when you open the attached file/link, it asks for the permission to run the scripts. This script is nothing but the ‘macros’, through which the infection follows.

Hence, it is always recommended to immediately delete the suspicious e-mails. In other words, be alert and do not expose your system to any destructive threats.

Threat Behavior

The moment this ransomware infiltrates your system, it results in malicious modifications. It uses the same algorithm as used by the infamous STOP ransomware, the ultimate aim of Bufas ransomware is to encrypt data.

In order to successfully encrypt the files, the malicious ransomware uses strong cryptographies such as AES, RSA and Salsa20. Once, the files are infected by Bufas file extension, it generates a unique key to decrypt file. Furthermore, it appends ‘.Bufas’ extension to the file name, which makes them unusable.

Once, it makes itself comfortable in your system, it scans every inch of your computer to locate the targeted files. .Bufas STOP ransomware looks for the files which are most commonly found in most of the PCs. Documents, Images, Audio-Video files and Backups are a few targeted files. At the end, .Bufas ransomware drops a ransom demanding message, which aims at extorting money from the victim users.

Ransom Note

Bufas ransomware asks for hefty amount of ransom in exchange of the decryption key. Sum equal to $980 (in bitcoins) is demanded to decrypt Bufas files. Moreover, you can avail the benefit of discount of 50% in the ransom amount, only if you contact the hackers within 72 hours of the Bufas ransomware attack. The price will be reduced to $490 (in bitcoins) for you. However, paying the asked ransom amount does not ensure .Bufas file recovery. Hence, instead of funding the cyber criminals, focus to remove .Bufas ransomware.

Keep in mind, paying the ransom is not the only way out! In fact, it encourages cyber crooks to initiate a new ransomware project. Hence, here are a few possible solutions to delete .Bufas file virus from your system. Scroll down for easy and simple steps to remove .Bufas extension:

Removal guidelines for .Bufas File Virus

STEP A: Reboot your system to Safe Mode

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click  Restart.
  3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
  5. Click on the username and enter the password.

STEP B: Delete the suspicious file from Configuration Settings

  1. Type “Msconfig” in search box / Run Box, select it and press Enter.
  2. Click on “Services” Tab and click on “Hide all Microsoft services”.
  3. Select Bufas ransomware from the list of remaining services and disable it by removing the tick mark from the checkbox and click on Apply button.

Windows 7

  1. Click on the next tab – “Startup”.
  2. Find any blank or suspicious entry or the entry with Bufas ransomware mentioned and remove the check mark.
  3. Click on Apply button and then click on OK.

Windows 10

  1. Click on the next tab – “Startup”.
  2. Take the mouse cursor to ‘Open task Manager‘ link and click on it.  This opens the Task Manager window.
  3. Find any blank or suspicious entry or the entry with Bufas ransomware mentioned and click on it.
  4. Then click on Disable button.

STEP C: Remove malicious file from Command Prompt

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

  1. Type the command “sc delete Bufas ransomware ” in the command prompt and press Enter.
  2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

STEP D: Restore the system files & folder

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of Bufas ransomware. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Bufas ransomware.


Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Bufas ransomware. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Bufas ransomware.


  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

Tips to prevent your system from .Bufas File Virus

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Kaspersky and 360 Total Security so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.
Virus Removal Guidelines