Pendor Ransomware

We have recently acquired a sample of a ransomware-type application called Pendor Ransomware and tested it. We found that it was designed to encrypt your files and demand that you pay a 50 USD ransom to decrypt your files. Like nearly all ransomware-type programs it is dedicated to the extortion of money from the victims. However, we want to note that this ransomware’s developers might not keep their word and send you the decryption key once you have paid. Therefore, we recommend that you remove it from your computer as soon as you can to prevent it from encrypting more files.

Currently, there is no conclusive information on how this ransomware is distributed, but we believe that its developers might have resorted to using email spam to infect the computers of unwary users. They may have set up an email server dedicated to spamming random people with emails containing this ransomware. The emails can be disguised as receipts, tax return forms, and so on. The emails can have an attached file that may look like a PDF document. However, it may turn out that it is an executable file of this ransomware. If you open that file, then your PC can become infected with Pendor Ransomware.

If it infects your computer, then it will start encrypting your files immediately. This ransomware should create a public encryption and private decryption key. The decryption key is not stored locally as it is sent to a remote server and stored. You should get the decryption key after you pay the ransom but, again, there is no guarantee that you will get that key after you pay. Furthermore, your files might not be worth the money at all, so you should take that into account.

Pendor Ransomware was configured to encrypt many file formats that include pictures, documents, videos, audio files, and so on. It adds a custom “.pnr” file extension to the end of each encrypted file. If you double-click any of the encrypted files, this ransomware will open a CMD-type window that contains the ransom note. Also, Pendor Ransomware drops a ransom note that, depending on the version of the ransomware, can be named READ_THIS_FILE_1.TXT or instruction.txt. When testing this ransomware, the text file version of the note was encrypted.

The cybercriminals demand you pay 50 USD-worth of Bitcoins to a Bitcoin wallet address included in the note. You also have to send your personal ID and Bitcoin address to the TOR decryption service and pendor@tuta.io or pendor111@tutanota.com email addresses. The ransomware can feature one of these addresses depending on the version.

The main executable of this ransomware should be located where you downloaded it which is usually in the Downloads folder. However, if you ran the file without downloading it, then it should be in the %TEMP% folder. Also, this ransomware creates registry keys at HKCU\Software\Classes\.PNR and HKCU\Software\Classes\Pendor. If you want to restore your computer’s security, then you have to delete the main executable and the registry keys, although the registry keys are useless without the executable.

Undoubtedly, Pendor Ransomware is one malicious application that can ruin your files. Its creators offer you a way out, but they want you to pay money, but you should not do that because you might not receive the decryption key. Therefore, we recommend that you remove it from your computer using the guide provided below this article. You can also use an anti-malware program such as SpyHunter to get rid of it for you.

Removal Guide

1. Hold down Windows+E keys.
2. Type the following file paths in the address box and press Enter.
   • %TEMP%
   • %USERPROFILE\Downloads
   • %USERPROFILE\Desktop
3. Find the randomly-named executable.
4. Right-click it and click Delete.
5. Empty the Recycle Bin.
6. Hold down Windows+R keys.
7. Type regedit in the box and hit Enter.
8. Go to HKCU\Software\Classes\.PNR
9. Right-click the key and click Delete.
10. Then, go to HKCU\Software\Classes\Pendor and delete it as well.
11. Close the Registry Editor.