PadCrypt ransomware (Removal Guide) - updated Apr 2017
PadCrypt virus Removal Guide
What is PadCrypt ransomware?
PadCrypt ransomware is the first to offer live chat support, adds a review system
PadCrypt virus was spotted for the first time more than one year ago.[1] No matter that it hasn’t been very active crypto-malware, it has been changing steadily since then. If you receive a new email in your inbox, do not rush to open it or download the attached content, regardless of how important the information provided may seem. This and other similar ransomware programs spread through spam emails via infectious files attached to them. Pad Crypt malware spreads in a form of a file that looks like PDF but, actually, it is a zip archive containing a dangerous executed file. Once extracted, this file lets the malware into the system which starts encrypting user’s files, including photos, videos, word documents and other, without wasting its time. PadCrypt ransomware uses AES-256 encryption algorithm[2] to lock the files, so you can hardly decrypt them without a special key which is usually help by hackers.
After the encryption is over, the virus creates a new .txt file which informs the user about the encryption of the files and lets him/her know that there is an encryption key which needs to be bought in order to recover the files. Otherwise, these files can be lost forever. The ransom which is usually asked by this ransomware[3] is worth 0.8 Bitcoin which equals approximately $340 and must be paid through BitCoins, Ukash Voucher or Paysafecard. Usually, the required payments increase over time. The victim of PadCrypt ransomware is also given a 96-hour deadline to pay the ransom. If the victim does not transfer the money within the estimated time, the decryption key may be destroyed. At least that’s what is declared by its owners. However, no matter how convincing these claims seem, you should know that less than half of ransomware victims have managed to recover their data fully.[4]
PadCrypt ransomware has been updating lately. It shows different ransom notes reporting about encrypted files and asking the victim to pay a ransom fee in bitcoins
An interesting fact about this particular ransomware is that the encrypted data can be obtained free of charge in case the user waits six months and then contacts the virus’ developers. What is more, this virus is the first ransomware virus that provides live chat support, which supposedly should let you contact the cyber criminals. Reportedly, they do not respond, so there is hardly any use from this chat.
Developers of this virus have been letting the infected computer users remove PadCrypt from their computers by providing a special uninstaller. However, even after you remove the malware from your computer, your files won’t be decrypted after you finish this process. Also, to decrease victim’s chances to recover the files for free, this crypto-malware deletes shadow volume copies[5] as well. The only way to protect your data from such dangerous viruses is to keep a backup of your records stored on an external drive. Pad Crypt works similarly to such ransomware viruses like CryptoWall, TeslaCrypt or DMA-Locker (click on links to read more about these viruses). Actually, all the ransomware infections are essentially identical – they promise to decrypt your files if you pay the estimated amount of money. They differ only in encryption algorithms and the ransom size. We do not advise you paying the ransom because it is very likely that you will be left robbed not only of your files but your money as well. You should remember that the PadCrypt removal will not return your data but merely deletes the virus and its contents from your computer. We advise using a powerful malware removal software like FortectIntego to remove the ransomware from your system for good.
Update 28 February 2017: Developers of the ransomware have upgraded their TOR payment website and added a section called “Reviews,” where victims can post positive feedback and expect a refund from cyber criminals. However, current reviews seem to be filled with hate and frustration only. Although this virus was the first one to provide live chat support to victims, now it seems that it seeks to copy the strategy of Spora ransomware, which provides quick responses to victims and also provides free decryption keys, extended deadlines, and discounts for the victims. Pad Crypt’s authors ask to write an “honest review” in order to get a refund; however, we cannot even imagine how victims should feel about praising the service of cybercriminals.
How is this ransomware distributed?
PadCrypt, CryptoWall, and other malware programs are commonly distributed through peer-to-peer (P2P) networks, like Torrents, malicious spam email attachments or bogus software updates and may enter your system as Trojans.
For the reasons stated in this article, you should be careful when downloading files from untrustworthy Internet sources or opening email attachments received from suspicious senders.
As we have already mentioned, it is essential to remove this malware from your PC immediately. If you do not want to use an automatic removal tool, please study a manual removal guide provided below the following paragraphs.
Complete list of PadCrypt versions
At first, PadCrypt was considered to be a suspended ransomware project because when it first showed up, its Command & Control servers were quickly deactivated. In spring of 2016, malware experts have spotted several versions of the virus that indicated that the author of the ransomware project is trying to renew it and start distributing it again. Currently, there are several modifications of the mysterious 2.0 version, known as 2.2.71.1, 2.2.86.1, and 2.2.97.0. However, it seems that these versions had no significant changes and were sent out to tiny amount of computer users, considering the number of complaints received. However, in autumn of 2016, the third version has emerged, and it seems to be a more noticeably improved virus.
PadCrypt 3.0 ransomware virus. Malware analysts first noticed traits of this version at the end of September 2016, and clear examples were detected in November. The third version claims to be using AES 256-bit encryption key and demands a ransom from the victim in exchange for the data decryption tool. Reportedly, PadCrypt 3.0 virus spreads as a Trojan in the form of a fake Visa Credit Card generator (Card Base 5.6.0.exe), also steals some information from server account from FileZilla, and it is being sold in the dark market for other criminals who want to contribute to its distribution. It seems that scams have created an affiliate system and they share the revenue with people who help to distribute the virus. Finally, it has been discovered that this version claims it is the 3.1 version in its source code, although the ransom note still says it is the 3.0 version. Victims should quickly remove this virus in case it infects their systems.
PadCrypt 3.1.2 ransomware virus emerged on the web in the beginning of December 2016 and struck the users with more questions than answers. The program does not seem to have acquired any new features, at least the ones that are apparent. We can only presume that the hackers behind the virus have patched up some problematic parts in the program’s code and hope that these improvements have not made the parasite even more malicious. Perhaps a single interesting finding about this ransomware version so far is that it seems to be distributed by the well-known Artemis Trojan. It is yet unknown whether the virus decrypts the locked files after six months as the original virus version, but we do not recommend waiting it out. During this time you probably will not be able to use your computer properly and the new files you create on the infected device will be encrypted once again. Thus, we strongly recommend you to remove this version of PadCrypt from your computer.
PadCrypt 3.2.2 ransomware virus is a malicious crypto-virus which was found to be a ransomware-as-a-service (RaaS). Interested parties (hackers, bad guys, etc.) can try to modify this malware according to their needs and then use it for encrypting people’s files and collecting ransoms. Of course, the owner of 3.2.2 malware version gets some part of the collected fees in exchange for letting others use the virus. According to the latest gossip, this version is another modification of the Razy ransomware which uses AES-265 and RSA encryption algorithms to encrypt the files of its victims. The amount of ransom varies from 0.5 to 1.5 Bitcoin what is equal to $1065. Please, do NOT even think about paying such ransom to the developers of this ransomware! There is no guarantee that they will recover your files after receiving such amount of money. You need to remove PadCrypt 3.2.2 virus as soon as you find out that you are infected because this malware can also modify your process list and try to connect to hackers with the help of the remote C&C servers.
PadCrypt 3.4.4 ransomware virus is the latest version of the virus which showed up in the middle of March. No matter that it hasn’t been very active, it can infect your computer using the same methods as previous versions. As soon as it infiltrates the system, it works on collecting specific information and transferring it to its owners. It has been revealed that it tries to reveal computer’s IP address, its geolocation, name, System Bios Version, etc. It uses C&C servers to transfer this data to its owners. The second stage of the functionality of PadCrypt 3.4.4 ransomware involves the encryption of victim’s files. Be careful with this malware and do NOT pay the ransom.
PadCrypt 3.5 ransomware virus. The latest ransomware variant was spotted in April 2017, and the first example spotted arrives in the form of two files: dpd_label_1ade8daf._pdf.scr and Adobe Reader.exe. As you can see, the first file has a double extension (the real one is .scr, not .pdf), and it pretends to be a document from DPD. Therefore, we assume that this malicious virus is distributed using email spam. The ransomware encrypts all files adding extensions that match the virus’ name and leave a ransom note behind. The virus leaves ransom note in three different files: +WANT_YOUR_FILES_BACK.html, +WANT_YOUR_FILES_BACK.txt and +RESTORE_FILES_NOW.html. With this version, the ransomware also upgrades its TOR site and adds a “Review” page, where victims can leave reviews and expect attackers to lower the ransom price for them.
Remove PadCrypt ransomware from the system
Unfortunately, it is impossible to remove PadCrypt virus and recover the encrypted files at the same time. For that you need to have a special key which is usually help by hackers for as long as you decide to open your e-wallet and pay the ransom. You can, however, delete this virus and its components from your computer to prevent the further encryption of your files. This procedure is also advisable when trying to find additional threats that might be lurking in your computer without your knowledge. We don’t recommend you trying to perform a full PadCrypt removal procedure manually because there are lots of ransomware components that can hardly be found without a reputable anti-spyware/anti-malware program. The best variants of such software are given below, so make sure you install one of them to fix your computer properly. To protect yourself from such malicious viruses in the future, make sure you keep the security software up-to-date, backup your important files constantly and stay away from spam.
Getting rid of PadCrypt virus. Follow these steps
Manual removal using Safe Mode
If this virus is blocking your scanner, you should try rebooting your computer to Safe Mode with Networking first:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove PadCrypt using System Restore
If Safe Mode with Networking failed to help you unlock your computer, you should try using System Restore:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of PadCrypt. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove PadCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by PadCrypt, you can use several methods to restore them:
Recover with Data Recovery Pro
Victims can try to decrypt their files using Data Recovery Pro software. It might help you to recover some of your files.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by PadCrypt ransomware;
- Restore them.
Use ShadowExplorer to recover files encrypted by this ransomware
If you are lucky enough to find out that PadCrypt ransomware did not remove the shadow volume copies of your files, you can use ShadowExplorer. Here are the steps that you should follow to use this tool properly:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Wait six months to get your data back
The described virus says that victims should not delete the encrypted data because there is a chance to recover them for free in case the victim has no money to pay the ransom. If your files are not that important and you do not need them urgently, you can wait and see what happens. Just remember that criminals are unpredictable and you can never count on them.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from PadCrypt and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.
- ^ Lawrence Abrams. PadCrypt: The first ransomware with Live Support Chat and an Uninstaller. Bleeping Computer.
- ^ Advanced Encryption Standard. Wikipedia, the free encyclopedia.
- ^ What is ransomware and how to remove it. 2spyware. Security news and virus removal guides.
- ^ Jonathan Crowe. Ransomware by the Numbers: Must-Know Ransomware Statistics 2016. Barkly blog.
- ^ Shadow Copy. Wikipedia, the free encyclopedia.