Severity scale:  
  (99/100)

Remove PayDay ransomware / virus (Removal Guide) - updated Feb 2019

removal by Olivia Morelli - - | Type: Ransomware

PayDay ransomware is a cryptovirus that delivers a new version of file-encrypting malware in 2019 that demands for 200$ 

Screenshot of PayDay virus ransom note

Questions about PayDay ransomware virus

PayDay ransomware is a malicious program spotted spreading at the end of 2016 and continuously releasing new versions up til 2019. Originally, it targets Portuguese computer users. However, hackers keep releasing this crypto malware all over the world. One of the variants – Sexy ransomware was discovered in November 2017 but after that more versions have surfaced. Payday virus is based on the HiddenTear[1] and uses AES cryptography. While the first version appends .sexy, other version attaches .[email]-id-id.payday file extension or appendix formed in a ransom character pattern with 6 letters to each encoded file. You may recover access to your data by using either standard or brute-force HiddenTear decryptor. But malicious actors modify their products to make them immune to previously released decryption tools. The newest variant of PayDay ransomware delivers HOW_TO_DECRYPT_MY_FILES.txt file as a ransom note and demands 200$ for decryptor.

Name PayDay ransomware
Type Cryptovirus
Ransom note  HOW_TO_DECRYPT_MY_FILES.txt; !! RETURN FILES !!.txt
Known since 2016
Ransom amount  200$
File extension  .[email]-id-id.payday; .sexy; .random-6-letters
Cryptography  AES encryption algorithm
Distribution Spam email attachments
Elimination Use powerful antivirus to remove PayDay virus and clean the system using Reimage Reimage Cleaner

While PayDay encrypts data, you might notice system slowdowns. The computer can slow down for many different reasons, and ransomware is definitely not the first thing that comes to mind.

Once the PayDay ransomware virus renders all target files into useless pieces of data, it creates a HyperText Markup Language format file called !!!!!ATENÇÃO!!!!!.html and saves it on user’s desktop. The ransom note opens via a web browser and explains (in Portuguese) that files have been encrypted, and now the victim needs to pay up if he/she wants to see or use them ever again.

The PayDay malware asks for R$950, which is approximately 286 USD. The virus refuses to receive the ransom in any other currency but Bitcoins, as this way authors of this ransomware can receive money and stay anonymous. Perpetrators leave a contact email address in case the victim wants to ask something – CatSexy@protonmail.com

You shouldn’t fall for ransomware threats and get rid of this virus as soon as you can because it is yet another decryptable HiddenTear variant. Remove PayDay using guidelines given below and then prepare for data decryption process, which will convert all .sexy files into normal ones.

To eliminate this crypto-malware, you have to obtain a professional antivirus or malware removal tool, such as Reimage Reimage Cleaner or Malwarebytes. However, you should also check PayDay ransomware removal guide at the end of the article to learn how to succeed in this task.

Sexy ransomware might be an offspring of the latter malware

Sexy virus attaches .sexy file extension to the encoded data as well. While the amount of the ransom remains not indicated, the cybercriminals insist on contacting via sexy_chief@aol.com e-mail address to settle the price for a decryption tool. 

Besides, victims are allowed to send one file for a free decryption that doesn't contain any valuable information. Even though crooks try to earn people's trust, we recommend you to focus on the Sexy removal instead. It is clear that they are not going to stop their malicious activity. Thus, do not motivate them by paying the ransom to develop new versions similar to the PayDay ransomware or updating this one. 

The ransom note by PayDay ransomware virus
Originally, PayDay ransomware virus aims at Portuguese-speaking computer users.

Introduction to the variants of the Pay Day ransomware

Cybersecurity experts from NoVirus.uk[2] have noticed an example of the crypto-malware that appends .[]-id-.payday file extension at the end of the file-name. It is believed that the ransomware is inextricably linked to BTCWare together with PayDay virus.

After finishing data encryption, the virus delivers !! RETURN FILES !!.txt file which briefly informs about ransomware attack:

all your files have been encrypted
want return files?
write on email: keyforyou@tuta.io

Later on, the malware opens payday.hta file with further instructions. The latest version includes new email addresses: checkzip@india.com and payday@cryptmaster.info. The malware has been spotted spreading via spam email entitled as Schedule_order.r03. Though the malware developer pretends to be a representative of KAVITA company, take a look at the message content:

Dear Sir,

Attached, please find attached Memo in the folder for purchase requests

Kindly issue requested Order confirmation at your earliest.

Looking forward to your cooperation in the matter for which thank you beforehand.

The malware felons did not bother themselves to write the message in correct English. Ample of grammar mistakes and lack of punctuation marks already suggest the deceptive origin of the message. Furthermore, this PayDay ransomware version employs a brute-force attack strategy, specifically looks for weak Remote Desktop protocols. There are third-party tools which help you manage them and change them into more complex ones. 

In order to reduce the probability of ransomware encounter, these recommendations might be of use:

  • set a limit for failed log-in attempts
  • activate two-step verification 
  • update security apps and crucial software such as Java and Adobe Flash Player once the updates are issued
  • set up complex passwords comprised of letters, punctuation marks, characters and numbers (avoid using full dictionary form words)

In any case, make a rush to eliminate crypto-virus from the system and try either BTCWare or HiddenTear decryption software.

PayDay ransomware 2019
PayDay ransomware virus releases new ransom note with 200$ ransom demand.

At the beginning of February 2019, MalwareHunterTeam discovered new PayDay ransomware version that has a few different features that first versions of the malware.

This virus still uses AES encryption and focuses on file-locking process as the first step in the attack. According to various analysis, it seems that developers focus on specific locations in different campaigns. 

When files get encrypted, random six letter marker gets at the end of every document, photo or database file and ransom note – HOW_TO_DECRYPT_MY_FILES.txt gets placed in every folder containing these encoded files. The note shows that the ransom amount is 200$ and reads the following:

============== !!!PAYDAY RANSOMWARE!!! ==============
Attention! All your files are encrypted with extension ***.
to decrypt your files – you must buy decryptor. Decryptor price – 200 USD.
If the decryptor is not bought within 3 day’s – files will be pernamently destroyed.
You can contact us by e-mail, our e-mail address : admin@dontfuckme.top.
Payment is accepted only in bitcoin ( https://en.bitcoin.it/wiki/Main_Page ). Our support will give you the address of our Bitcoin wallet for payment during a personal dialogue.
Contacting us – specify the extension of the encrypted files, and your unique identifier, which is listed below.
Only we can decrypt your files, do not use third-party software, it will break the files.
If you have any problems / questions – our support will help you.
Good luck. May god help you!
Your unique identifier : {**************}___suffinc

As per usual, ransomware creators demand payments in cryptocurrency, in this case, Bitcoin, but you should avoid any contact with these criminals and remove PayDay ransomware instead. You can do that using anti-malware tools but don't forget to clean the system further using Reimage Reimage Cleaner or similar PC repair programs.

Pay more attention before opening spam e-mails

Common distribution method employed is to send phishing e-mails that download the executable files of the malware. Spam e-mails look extremely genuine. Thus, victims are tricked to open the attachments, which are designed to infiltrate the ransomware into the system. Besides, the file-encrypting virus might spread via malware-laden advertisements and through exploit kits[3] as well. 

Therefore, we suggest you stay away from advertisements that promise too good to be true offers. It is also a good idea to ignore ads from questionable third-party sites, especially if they urge you to install “required updates.” Such updates are typically bundled with malicious components. Finally, beware of exploit kits, who waylay in compromised or simply infectious websites and try to exploit software vulnerabilities in visitors’ computers.

PayDay virus termination procedure involves professional help

You are advised to remove PayDay ransomware with a reputable security software since it will save you time and eliminate other malicious programs which might be disrupting your computer's performance. We also want to warn you that the malware might prevent you from downloading the antivirus software. You can circumvent it by booting your PC into Safe Mode before. 

Additionally, you should know that manual PayDay ransomware removal is also possible, but not recommended. If you are not experienced enough, you can easily delete wrong files or Registry Keys, which can cause a lot of stability-related computer problems.

Therefore, we suggest you clean the system using Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes (or antivirus that you have). If PayDay ransomware virus prevents from installing or using security software, you should find the instructions below handy.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove PayDay virus, follow these steps:

Remove PayDay using Safe Mode with Networking

The presented instructions will show you how to prevent Payday ransomware from blocking you to download the security software.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove PayDay

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete PayDay removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove PayDay using System Restore

Some victims report that the guide mentioned above doesn't seem to help. In such a case, you should try the alternative method:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of PayDay. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that PayDay removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove PayDay from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by PayDay, you can use several methods to restore them:

When you need an alternative for data backups, you should use Data Recovery Pro

When you are dealing with encrypted or accidentally deleted files, Data Recovery Pro allows you to recover them

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by PayDay ransomware;
  • Restore them.

Try HiddenTear BruteForcer together with Decryptor to help you retrieve the most important data

Luckily, security experts have developed alternative recovery tools for the victims of different HiddenTear's versions. You should start by downloading HiddenTear BruteForcer and uploading a file with .PNG extension into it. Shortly after, search for the HiddenTear in the Mode menu and launch BruteForce. Afterward, install HiddenTear Decryptor and use the decryption code generated by the BruteForce to recover your data.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from PayDay and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions

References

Removal guides in other languages


  1. Chrome01 says:
    December 14th, 2016 at 8:53 am

    Youre right. They definitely have a few screws loose, if not missing!

  2. 2pac3va says:
    December 14th, 2016 at 8:54 am

    I have recovered my files from a backup, didnt even need to use suggested decryption tools. .sexy decrypted, thanks!

  3. Monica says:
    December 14th, 2016 at 8:54 am

    Cool, thanks, Ill try to decrypt these corrupted files. The virus is gone already…

Your opinion regarding PayDay ransomware virus