Plam ransomware authors persuade users to pay $980 for file recovery tool

Plam ransomware is a hazardous computer infection that encrypts files on a targeted Windows machine in order to demand to purchase a decryption tool required to regain access to the files. All non-system files, such as documents, pictures, databases, and others, are encoded with a military-grade RSA 2048 coding algorithm and renamed by appending a .plam extension to their original filenames.
Afterward, a ransom note, named _readme.txt, with instructions from the assailants, is placed on the desktop. It contains a few persuasion techniques, with the main goal to force victims into contacting the threat actors behind the attack by provided emails (helpmanager@mail.ch, helpmanager@airmail.cc) and pay the ransom (either $490 or $980) in cryptocurrency Bitcoins.
The virus derives from the nefarious Djvu ransomware family, which has been active since the end of 2018. New file-locker variations from this lineage are introduced each week. If your data was encoded with an offline key, then it's more than likely that you can decrypt it for free with Emisoft decryption tools. You can run files through the tool to make sure that data is decryptable. If not, options are limited to data backups and third-party alternate methods. Some of them listed below.
We're glad you chose us as your cybersecurity specialists, and we'll do our best not to let you down. This article contains a lot of information on the culprit, its peculiarities, most common distribution techniques, and certainly its elimination options. If you can't be bothered with all that info, go straight to our removal section at the bottom of the page. You can find many tips for the elimination and instructions that contain options for encrypted file restoring when you don't have updated backups.
| name | Plam ransomware |
|---|---|
| type | Cryptovirus, file-locker |
| Family | Djvu/STOP |
| appended file extension | .plam |
| Ransom note | _readme.txt file can be found on the desktop |
| Ransom amount | $490/$980 |
| criminal contact details | helpmanager@mail.ch and helpmanager@airmail.cc |
| Distribution | Deceptive ads, spam emails, file-sharing platforms |
| Malware Removal | To completely eliminate this and any other malware, use professional anti-malware software |
| System Health fix | Ransomware makes alterations to system files and settings, which could lead to various performance issues. Use the FortectIntego system repair tool to restore the system back to normal |
Djvu family ransomware is among the most pervasive of all malware that's lurking on the internet. It has produced over 250 file-locking parasites since late 2018. This version is the 280th on the list, and new ones are being produced weekly. Here are a few examples of the latest ones:
All infections from this lineage have a lot of similarities. All their ransom notes are practically identical. The latest version use RSA 2048 coding algorithm to encrypt files. Also, all contact email addresses used to be the same, but one of them changed with Plam ransomware. Here's what the message in the _readme.txt file states:
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-Wl6WKEBetp
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:
helpmanager@mail.chReserve e-mail address to contact us:
helpmanager@airmail.ccYour personal ID:
As you can see in the message above, developers of the ransomware virus try to push their victims into making rash decisions by offering them free decryption and a 50% discount on the ransom. Users who encountered a cyberattack should remember that paying off the criminals is the worse thing they can do.
Threat actors can use that money to expand their whole illegal operation. That can result in attacking more innocent people, developing more advanced malware, and research into ransomware distribution efficiency. Various companies and institutions worldwide, including the FBI,[1] urge victims to stop paying the ransom.

Therefore, remove PLAM ransomware from your infected device and forget about it. To properly eliminate it, you'll need a professional anti-malware tool. We recommend using either SpyHunterCombo Cleaner or MalwarebytesMalwarebytes apps to automatically take care of this task and protect your device from such intrusions in the future.
A proper anti-malware tool should identify infections and prevent them from executing any commands by isolating them. According to file analysis platform VirusTotal,[2] different tools have detected malware sample under the following names:
- MachineLearning/Anomalous.94%
- Trojan:Win32/Glupteba.GKM!MTB
- Trojan:Win32/Glupteba.ca055928
- Win32:BotX-gen [Trj]
- ML.Attribute.HighConfidence.
File-lockers, especially the ones from the Djvu family, cause havoc in system files and settings. Host files are altered, preventing users from visiting any cybersecurity sites, including 2-spyware.com, registry values are changed, and so on. It is also important to remember that malware can negatively impact system performance, even after it's removed. The best tool to remediate Windows is the powerful FortectIntego system repair tool.

Evade one of the most common ways Djvu ransomware is distributed
Malware is spread using different methods. Adware can be delivered with software bundling, Trojans through Remote Desktop Protocol attacks, while ransomware via deceptive ads, spam emails, etc. Users have to learn the basic techniques threat actors are using to distribute malware, to prevent from acquiring it.
Thus, we'll tell you how to avoid the most usually used Djvu ransomware family distribution technique. File-sharing platforms might be an easy way to send files to friends or colleagues, but cybercriminals love to exploit the lack of end-to-end security on these portals. The habit of paying not enough attention can lead to ransomware infection when the pirated file with malicious code is downloaded in place of the good install piece.
Threat actors upload their creations to the most popular torrent websites, camouflaged as something that would catch a user's eye. For example, pirated expensive software, illegal activations tools (cracks) for the latest games, and so on. When such a torrent is downloaded, ransomware can start its bidding immediately, and all files on the device can be locked within a few minutes. If you value your privacy and security, please refrain from using such sites.
Your files are not infected – they are simply locked
The threat that marks files using .plam appendix is known for being the version of a Djvu/STOP ransomware family member. This malware family was decryptable for a period of time in 2019, but the newest encryption methods and the usage of a more difficult ID forming technique that involves online keys made the threat more dangerous and took the previous decryption tool out of order.
There are few methods right now like the media file recovery tool or mentioned program from Emsisoft. However, decryption is not the option that all victims of these threats can have. The best solution for the infection would be the removal of the threat and file recovery using up-to-date backups. You can run the decryption tool linked below to see if your files got encoded using online or offline keys when the virus encrypted all data.
Offline IDs indicate that files or at least some of them can be decrypted. If online keys are used – you have fewer options. No not panic. It is unfortunate that you may lose your files, but it is possible to salvage your device by clearing the infection. Save some of those encoded files and make sure to store them on the external drive, so you might use the decryption tool in the future.
Malware removal on Windows explained
Any malware[3] from devices should be eliminated ASAP. When you're dealing with the Djvu family viruses, you have to think about file recovery. If you're lucky and the encryption was done using an offline key, then there's a good chance that the existing Djvu decrypter will decipher your encrypted files.
If that doesn't work, then there might be other possible data recovery options. Please scroll down to the bottom of the page to view them. If nothing works, then extract all files to an offline storage device and wait for a decryption tool for .plam files to be developed. If you want to use the machine you still need to terminate the virus to avoid another encryption.
One more thing that Djvu family file-lockers can do is disable anti-malware software. If a security tool can't be opened, please refer to our manual removal guide below to open it in Safe Mode with Networking. If you don't own a professional tool capable of removing malware, we advise getting either SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.
Launch the security tool and scan the entire system. Once it's finished, remove ransomware along with any other suspicious files. Keep your anti-malware software virus database updated at all times so it can stop the latest malware from infecting your device.
The last step is to fix system files and settings that were messed up during the encryption. Host files, system registry, and other core system settings get altered to establish persistence. Cybersecurity experts from LesVirus.fr[4] highly recommend using the powerful FortectIntego system repair tool for this task.
Was this guide helpful?
Be the first to comment