Severity scale:  

Remove PadCrypt ransomware (Removal Guide) - updated Apr 2017

removal by Alice Woods - - | Type: Ransomware

PadCrypt ransomware is the first to offer live chat support, adds a review system

PadCrypt virus was spotted for the first time more than one year ago.[1] No matter that it hasn’t been very active crypto-malware, it has been changing steadily since then. If you receive a new email in your inbox, do not rush to open it or download the attached content, regardless of how important the information provided may seem. This and other similar ransomware programs spread through spam emails via infectious files attached to them. Pad Crypt malware spreads in a form of a file that looks like PDF but, actually, it is a zip archive containing a dangerous executed file. Once extracted, this file lets the malware into the system which starts encrypting user’s files, including photos, videos, word documents and other, without wasting its time. PadCrypt ransomware uses AES-256 encryption algorithm[2] to lock the files, so you can hardly decrypt them without a special key which is usually help by hackers.

After the encryption is over, the virus creates a new .txt file which informs the user about the encryption of the files and lets him/her know that there is an encryption key which needs to be bought in order to recover the files. Otherwise, these files can be lost forever. The ransom which is usually asked by this ransomware[3] is worth 0.8 Bitcoin which equals approximately $340 and must be paid through BitCoins, Ukash Voucher or Paysafecard. Usually, the required payments increase over time. The victim of PadCrypt ransomware is also given a 96-hour deadline to pay the ransom. If the victim does not transfer the money within the estimated time, the decryption key may be destroyed. At least that’s what is declared by its owners. However, no matter how convincing these claims seem, you should know that less than half of ransomware victims have managed to recover their data fully.[4]

PadCrypt ransomwarePadCrypt ransomware has been updating lately. It shows different ransom notes reporting about encrypted files and asking the victim to pay a ransom fee in bitcoins

An interesting fact about this particular ransomware is that the encrypted data can be obtained free of charge in case the user waits six months and then contacts the virus’ developers. What is more, this virus is the first ransomware virus that provides live chat support, which supposedly should let you contact the cyber criminals. Reportedly, they do not respond, so there is hardly any use from this chat.

Questions about PadCrypt ransomware

Developers of this virus have been letting the infected computer users remove PadCrypt from their computers by providing a special uninstaller. However, even after you remove the malware from your computer, your files won’t be decrypted after you finish this process. Also, to decrease victim’s chances to recover the files for free, this crypto-malware deletes shadow volume copies[5] as well. The only way to protect your data from such dangerous viruses is to keep a backup of your records stored on an external drive. Pad Crypt works similarly to such ransomware viruses like CryptoWall, TeslaCrypt or DMA-Locker (click on links to read more about these viruses). Actually, all the ransomware infections are essentially identical – they promise to decrypt your files if you pay the estimated amount of money. They differ only in encryption algorithms and the ransom size. We do not advise you paying the ransom because it is very likely that you will be left robbed not only of your files but your money as well. You should remember that the PadCrypt removal will not return your data but merely deletes the virus and its contents from your computer. We advise using a powerful malware removal software like Reimage Reimage Cleaner Intego to remove the ransomware from your system for good.

Update 28 February 2017: Developers of the ransomware have upgraded their TOR payment website and added a section called “Reviews,” where victims can post positive feedback and expect a refund from cyber criminals. However, current reviews seem to be filled with hate and frustration only. Although this virus was the first one to provide live chat support to victims, now it seems that it seeks to copy the strategy of Spora ransomware, which provides quick responses to victims and also provides free decryption keys, extended deadlines, and discounts for the victims. Pad Crypt’s authors ask to write an “honest review” in order to get a refund; however, we cannot even imagine how victims should feel about praising the service of cybercriminals.

How is this ransomware distributed?

PadCrypt, CryptoWall, and other malware programs are commonly distributed through peer-to-peer (P2P) networks, like Torrents, malicious spam email attachments or bogus software updates and may enter your system as Trojans.
For the reasons stated in this article, you should be careful when downloading files from untrustworthy Internet sources or opening email attachments received from suspicious senders.

As we have already mentioned, it is essential to remove this malware from your PC immediately. If you do not want to use an automatic removal tool, please study a manual removal guide provided below the following paragraphs.

Complete list of PadCrypt versions

At first, PadCrypt was considered to be a suspended ransomware project because when it first showed up, its Command & Control servers were quickly deactivated. In spring of 2016, malware experts have spotted several versions of the virus that indicated that the author of the ransomware project is trying to renew it and start distributing it again. Currently, there are several modifications of the mysterious 2.0 version, known as,, and However, it seems that these versions had no significant changes and were sent out to tiny amount of computer users, considering the number of complaints received. However, in autumn of 2016, the third version has emerged, and it seems to be a more noticeably improved virus.

PadCrypt 3.0 ransomware virus. Malware analysts first noticed traits of this version at the end of September 2016, and clear examples were detected in November. The third version claims to be using AES 256-bit encryption key and demands a ransom from the victim in exchange for the data decryption tool. Reportedly, PadCrypt 3.0 virus spreads as a Trojan in the form of a fake Visa Credit Card generator (Card Base 5.6.0.exe), also steals some information from server account from FileZilla, and it is being sold in the dark market for other criminals who want to contribute to its distribution. It seems that scams have created an affiliate system and they share the revenue with people who help to distribute the virus. Finally, it has been discovered that this version claims it is the 3.1 version in its source code, although the ransom note still says it is the 3.0 version. Victims should quickly remove this virus in case it infects their systems.

PadCrypt 3.1.2 ransomware virus emerged on the web in the beginning of December 2016 and struck the users with more questions than answers. The program does not seem to have acquired any new features, at least the ones that are apparent. We can only presume that the hackers behind the virus have patched up some problematic parts in the program’s code and hope that these improvements have not made the parasite even more malicious. Perhaps a single interesting finding about this ransomware version so far is that it seems to be distributed by the well-known Artemis Trojan. It is yet unknown whether the virus decrypts the locked files after six months as the original virus version, but we do not recommend waiting it out. During this time you probably will not be able to use your computer properly and the new files you create on the infected device will be encrypted once again. Thus, we strongly recommend you to remove this version of PadCrypt from your computer.

PadCrypt 3.2.2 ransomware virus is a malicious crypto-virus which was found to be a ransomware-as-a-service (RaaS). Interested parties (hackers, bad guys, etc.) can try to modify this malware according to their needs and then use it for encrypting people’s files and collecting ransoms. Of course, the owner of 3.2.2 malware version gets some part of the collected fees in exchange for letting others use the virus. According to the latest gossip, this version is another modification of the Razy ransomware which uses AES-265 and RSA encryption algorithms to encrypt the files of its victims. The amount of ransom varies from 0.5 to 1.5 Bitcoin what is equal to $1065. Please, do NOT even think about paying such ransom to the developers of this ransomware! There is no guarantee that they will recover your files after receiving such amount of money. You need to remove PadCrypt 3.2.2 virus as soon as you find out that you are infected because this malware can also modify your process list and try to connect to hackers with the help of the remote C&C servers.

PadCrypt 3.4.4 ransomware virus is the latest version of the virus which showed up in the middle of March. No matter that it hasn’t been very active, it can infect your computer using the same methods as previous versions. As soon as it infiltrates the system, it works on collecting specific information and transferring it to its owners. It has been revealed that it tries to reveal computer’s IP address, its geolocation, name, System Bios Version, etc. It uses C&C servers to transfer this data to its owners. The second stage of the functionality of PadCrypt 3.4.4 ransomware involves the encryption of victim’s files. Be careful with this malware and do NOT pay the ransom.

PadCrypt 3.5 ransomware virus. The latest ransomware variant was spotted in April 2017, and the first example spotted arrives in the form of two files: dpd_label_1ade8daf._pdf.scr and Adobe Reader.exe. As you can see, the first file has a double extension (the real one is .scr, not .pdf), and it pretends to be a document from DPD. Therefore, we assume that this malicious virus is distributed using email spam. The ransomware encrypts all files adding extensions that match the virus’ name and leave a ransom note behind. The virus leaves ransom note in three different files: +WANT_YOUR_FILES_BACK.html, +WANT_YOUR_FILES_BACK.txt and +RESTORE_FILES_NOW.html. With this version, the ransomware also upgrades its TOR site and adds a “Review” page, where victims can leave reviews and expect attackers to lower the ransom price for them.

Remove PadCrypt ransomware from the system

Unfortunately, it is impossible to remove PadCrypt virus and recover the encrypted files at the same time. For that you need to have a special key which is usually help by hackers for as long as you decide to open your e-wallet and pay the ransom. You can, however, delete this virus and its components from your computer to prevent the further encryption of your files. This procedure is also advisable when trying to find additional threats that might be lurking in your computer without your knowledge. We don’t recommend you trying to perform a full PadCrypt removal procedure manually because there are lots of ransomware components that can hardly be found without a reputable anti-spyware/anti-malware program. The best variants of such software are given below, so make sure you install one of them to fix your computer properly. To protect yourself from such malicious viruses in the future, make sure you keep the security software up-to-date, backup your important files constantly and stay away from spam. 

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove PadCrypt virus, follow these steps:

Remove PadCrypt using Safe Mode with Networking

If this virus is blocking your scanner, you should try rebooting your computer to Safe Mode with Networking first:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove PadCrypt

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete PadCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove PadCrypt using System Restore

If Safe Mode with Networking failed to help you unlock your computer, you should try using System Restore:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of PadCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that PadCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove PadCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by PadCrypt, you can use several methods to restore them:

Recover with Data Recovery Pro

Victims can try to decrypt their files using Data Recovery Pro software. It might help you to recover some of your files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by PadCrypt ransomware;
  • Restore them.

Use ShadowExplorer to recover files encrypted by this ransomware

If you are lucky enough to find out that PadCrypt ransomware did not remove the shadow volume copies of your files, you can use ShadowExplorer. Here are the steps that you should follow to use this tool properly:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Wait six months to get your data back

The described virus says that victims should not delete the encrypted data because there is a chance to recover them for free in case the victim has no money to pay the ransom. If your files are not that important and you do not need them urgently, you can wait and see what happens. Just remember that criminals are unpredictable and you can never count on them. 

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from PadCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

Removal guides in other languages

  1. E.Jones says:
    February 25th, 2016 at 7:19 am

    Need help decrypting my files. If anyone can help, please contact me – I lost all my important records and I must get them back as soon as possible. Please help…

  2. Domm says:
    February 25th, 2016 at 7:19 am

    A live chat? I would like to contact these frauds and say what I actually think about them… Filthy idiots

  3. Hero19 says:
    February 25th, 2016 at 7:21 am

    Removed the virus, but the files are still encrypted. Is someone doing something to create a decryption tool or something like that?

Your opinion regarding PadCrypt ransomware