How to Remove PEC 2017 Ransomware and Recover Encrypted Files?

PEC 2017 Ransomware is a new encrypting ransomware discovered by a malware researcher who focuses on ransomware. This malware targets Italian victims primarily and the ransom note is written in Italian. This post provides some basic information about the ransomware and several methods to remove the threat completely from the machine.




Ransomware Information

Threat Name PEC 2017 Ransomware
Risk Level danger-level9
Category Ransomware; Malware
Affected countries Italy
Time First Discovered Early May 2017
Behaviors Encrypt files and append the .pec extension to them; Demand a ransom payment.
Distribution Methods Spam email messages that contain a corrupted file attachment
Removal Sulotion Some regular antivirus programs may fail to detect PEC 2017 Ransomware, so it is highly recommended that you use a specialized tool to find and delete all files related to this threat.



Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. Many recently discovered ransomware, such as Cry128 Ransomware, Onion Ransomware and AES-NI Ransomware, encrypt certain file types on infected systems and ask users to pay the ransom for a decrypt key or decryption tool.

PEC 2017 Ransomware is a newly discovered ransomware that attacks user’s computers and encrypts their files, appending the .pec extension to them. According to VirusTotal, some antivirus applications detected this malware on May 2, 2017. The following results are the detections of this ransomware:


RTF:CVE-2017-0199-A [Trj]






Once installed, it detects and encrypts files contained in all local drives, as well as on portable memory devices linked to the infected computer and files located on directories shared on a network. This ransomware seems to target Italy users and the ransom note displayed on the infected machines is written in Italian.

Screenshot of the ransomware note:




The following is the ransom note which is translated into English roughly:


PEC 2017

Learn how to decrypt files

Your files have been encrypted by the PEC 2017 system with AES 256 encryption.

PEC is not decipherable by any software and no antivirus.

How to recover encrypted data

The only way to recover corrupted data is to purchase PEC CLEANER Recovery Software.

Once you have obtained the software, you will be able to recover and restore the corrupted files.

With the same software you can decrypt all damaged files even those on external or network disks.


Do not use any antivirus software or decrypt as not only ineffective, but may compromise data retention forever.

With PEC Cleaner, you can retrieve all your perfectly working and unexpected data.


Contact the decrypt software manufacturer to purchase the license and download the program:

Pec.clean@protonmail com

Your unlock key is


The software will be available for download within 24 hours of your payment and will allow you to restore your data immediately.


The ransom note tells victims what happens to their computers and files and how can they recover the encrypted files. The cybercriminals threaten to ruin the encrypted files permanently if victims attempt to delete the malware or encrypt the files with security tools. It asks users to contact the decrypt software manufacturer via Pec.clean@protonmail com so as to buy PEC CLEANER to restore the files.

It’s not suggested that victims pay the ransom because this does not guarantee that they will get the unlock tool required to regain access to the encrypted files. Moreover, paying the ransom will encourage the cybercriminals and they can use that income to do more development and get into other forms of crime.


Important Note: If your computer is unluckily infected with this ransomware, DO NOT pay the ransom and try to restore the files if you have backups. Before restoring the backups, please remove PEC 2017 Ransomware with a specialized malware removal tool first and make sure your system is free of viruses. If you have no backups, please wait for a decryption tool for this to be released because there is still no effective decryptor so far.





How does PEC 2017 Ransomware infect your PC?


Ransomware can be distributed from a machine to another machine through a variety of means. Like much of the malware out there, it can spread via untrusted sites and attachments. If unwitting users visit malicious or compromised websites, the ransomware can find the opportunity to enter their machines. It can also arrive on the computers as a payload either dropped or downloaded by other malware. As for the PEC 2017 Ransomware, it can be delivered as attachments from spammed emails. Cybercriminals may send spam emails with a Rich Text Format document attached. If you open a document, you may see the messages like “This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?”. The document looks like a curriculum vitae or other commonly-used documents and this can make innocent users indefensible.




If users are convinced into opening the corrupted file attachment, the ransomware will be downloaded and executed from a remote server.

Once executed, it scans and encrypts the files using a combination of the AES and RSA encryptions. Victims won’t be able to access the encrypted files anymore unless they pay the ransom and but the decryption tool as required by the cybercriminals.


PEC 2017 Ransomware Removal Guide


It’s not easy to find and delete all the files associated with the ransomware manually. To find and get rid of the malware completely, we strongly suggest you download and install a professional anti-malware program to scan for the threats and clean up them automatically. The recommended software below is able to detect and remove the infection quickly and thoroughly with only a few clicks of the mouse.


  1. download-icon Download a remover for PEC 2017 Ransomware.
  1. Once the tool is downloaded, run it and follow the instructions on the screen to complete the installation.
  2. The tool will run automatically once installed. Usually, it starts to scan your computer for malware. If not, click on Scan Computer Now button to start scanning your system for the infection.
  3. The threats related to the ransomware will be found and showed in the scan results. When the scanning is completed, click on Fix Threats button to delete the malicious files.


Alternatively, use System Restore to remove the ransomware manually:


System Restore is “a feature in Microsoft Windows that allows the user to revert their computer’s state (including system files, installed applications, Windows Registry, and system settings) to that of a previous point in time, which can be used to recover from system malfunctions or other problems.” If the System Restore function was enabled on your infected operating system before, this method may work.

Follow the guide below to perform a system restore in different Windows systems.

Windows 10

Press Windows key + X key or right click on the Start button in the lower left corner of the screen to open the quick link menu. Select the System item in the menu.




Click onSystem Protection tab on the left side as shown below.



Click on System Restore. (If the System Restore become greyed out, you will have to check if your current hard drive has System Protection turned on. By default it should be, but if you want to enable it on another drive simply select it and then click on configure…> select Turn on system protection. )




If this is your first time doing a System Restore, click on Next. If you had previously done a System Restore, select Choose a different restore point, and click on Next.




(Note: Make sure you have created some restore points otherwise you won’t be able to do a system restore if no restore points are available.)

Select a restore point that you would like to restore Windows back to, and click on theScan for affected programsbutton.

Review what will be affected by using the selected restore point. When finished, click on Close.




When you are ready to do a System Restore with a selected restore point, click on Next.

Click on Finish to begin the System Restore.




Click on Yes to confirm. This is your last chance to cancel the System Restore.

Your PC will now restart and perform a System Restore.

When the System Restore has completed successfully and you have signed back in to your desktop, click onClose.

Restart your computer and Osiris Ransomware will disappear. But please note that the files are still encrypted.


For Windows 8/8.1 users,

Hover your mouse over the lower left corner of the screen until the Start menu Right click on the Start menu and select Control Panel. (See screenshot below) If you use Windows 8.1, right click on the Start button and click on Control Panel.




In the Control Panel window, select “Recovery” under Type by: Large icons.




Select “Open system restore”.



The main screen for System Restore will be displayed. If you are prompted to continue, click on Next > button and a recent restore point and your last critical update will be showed there.




If you make sure that the most recent restore point is not the date your problem started, check the box next to Show more restore points in the lower left corner and you will see a list of available restore points.

Select the restore point that your computer issues started to occur and click Next button.




The screen will ask for your confirmation. Click on the Finish button if you are sure to continue.




When you are asked for confirmation again, click on Yes. System Restore will now reboot your computer and begin the restore process. This will take some time to complete the restore task and please be patient.

When the system restore task completes successfully, a confirmation box will be displayed on your desktop after system reboot. Then Osiris Ransomware is gone from your computer.


For Windows 7/Vista users

Click on Start button→ All ProgramsAccessoriesSystem Tools → System Restore….




When the System Restore window appears, you can directly click on Next button if you are sure that the date of the Recommend restore is the time the computer problem started.




If the computer issue occurred earlier than the time of the recommend restore, you can click Choose a different restore point option and click Next button to select the desired restore point.

Select a restore point you wish to restore and click Next button. If the desired restore point isn’t showed there, check Show more restore points and choose the restore point which caused the computer problem. And then click on Next button.




Confirm your restore point and click Finish button. Make your selections and click Next.




This will take some time to complete. When the system is restore to a time that was free of Osiris Ransomware, there will be no ransomware on your PC now.


For Windows XP users,

Click on Start button, click on Programs, click Accessories, click on System Tools and then open System Restore.




When the Welcome to System Restore page window appears, click on Restore my computer to an earlier time option (if it is not already selected), then click on Next button.




On the Select a Restore Point screen, locate to On this list, click a restore point list and select the most recent system checkpoint and then click Next button.




A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.

Confirm your restore point and click Finish button. Make your selections and click Next.

System Restore restores the previous Windows XP configuration, and then restarts the computer.




Possible way to recover files encrypted by PEC 2017 Ransomware


So far, there is still no free decryptor tool to decrypt .PEC files encrypted by the ransomware. But you can recover those encrypted files if you made a backup of the important files before. In addition, the encrypted files can also be restored through Shadow Volume Copies if you are lucky enough. Usually, File-encrypting ransomware will start to delete Shadow Volume Copies once installed. But sometimes the ransomware fails to remove them in a few cases due to various unknown reasons. Therefore, if your PC is attacked by this ransomware and you don’t have a backup of the files, try restoring encrypted files from Shadow Volume Copies since some shadow copies may luckily escape the deletion and still can be restored by ShadowExplorer.

Try using ShadowExplorer to restore them.

 Click here to download ShadowExplorer.

Here is there guide on how to restore the files with ShadowExplorer.


PEC 2017 Ransomware Prevention


To avoid being attacked by such file-encrypting ransomware, here are several useful suggestions for you:

Don’t open attachments attached in unsolicited emails. The ransomware is mainly distributed via email attachments. It can pretend to be curriculum vitae and trick you into downloading the attachments that can download and install the ransomware. If you receive such emails, be cautious about the attachments contained in them and never open them if you don’t trust it.

Back up your important files regularly. It’s a good habit to make a backup of your files on PC from time to time and keep a recent backup copy off-site. In this way, you can easily recover the files when your computer is infected with PEC 2017 Ransomware. And this helps protect your data and saves your money if any wrong goes with your computer.

Keep the software and system updated. The outdated software, such as browsers and Flash player, may contain vulnerability that can be exploited by malware. To prevent the PC from being attacked by hackers and infected, it’s necessary to update the installed software to the latest versions.

Download and install an anti-malware program. Believe it or not, an advanced anti-malware program can help protect your computer from various cyber attacks. They can inform you of the potential harmful items detected when you visit malicious websites or download harmful content. This can help prevent the ransomware effectively.


Friendly Reminder:


To avoid being infected with ransomware or other malware, you’d better install security software, keep your operating system and applications up to date, and don’t visit any suspicious sites or open email attachments from unknown sources. As ransomware becomes more sophisticated, sometimes preventive measures prove to be useless against such things. Thus it’s important to BACK UP files online and off. Though it’s inconvenient to restore files, it doesn’t matter much if your files encrypted by ransomware when you’ve got unencrypted copies as a backup.

If your computer is unfortunately infected with this Ransomware, follow the guide mentioned above to remove PEC 2017 Ransomware completely. If the ShadowExplorer doesn’t work, you need to wait for a decryption tool.




Share Button