Severity scale:  

PayDay ransomware virus. How to remove? (Uninstall guide)

removal by Olivia Morelli - - | Type: Ransomware

PayDay ransomware continues its malicious activity by releasing new variants

Picture of PayDay virus note

PayDay ransomware is a malicious program spotted spreading at the end of 2016. Originally, it targets Portuguese computer users. However, hackers keep releasing new versions of the crypto-malware that attack people worldwide. The most recent variant might be Sexy ransomware, which was discovered in November 2017.

Payday virus is based on the HiddenTear[1] and uses AES cryptography. While it appends .sexy, the new version attaches .[email]-id-id.payday file extension to each encoded file. You may recover access to your data by using either standard or brute-force HiddenTear decryptor.

While PayDay encrypts data, you might notice system slowdowns. The computer can slow down for many different reasons, and ransomware is definitely not the first thing that comes to mind.

Once the PayDay ransomware virus renders all target files into useless pieces of data, it creates a HyperText Markup Language format file called !!!!!ATENÇÃO!!!!!.html and saves it on user’s desktop. The ransom note opens via a web browser and explains (in Portuguese) that files have been encrypted, and now the victim needs to pay up if he/she wants to see or use them ever again.

The PayDay malware asks for R$950, which is approximately 286 USD. The virus refuses to receive the ransom in any other currency but Bitcoins, as this way authors of this ransomware can receive money and stay anonymous. Perpetrators leave a contact email address in case the victim wants to ask something –

You shouldn’t fall for ransomware threats and get rid of this virus as soon as you can because it is yet another decryptable HiddenTear variant. Remove PayDay using guidelines given below and then prepare for data decryption process, which will convert all .sexy files into normal ones.

To eliminate this crypto-malware, you have to obtain a professional antivirus or malware removal tool, such as Reimage or Malwarebytes Anti Malware. However, you should also check PayDay removal guide at the end of the article to learn how to succeed in this task.

Sexy ransomware might be an offspring of the latter malware

Sexy virus attaches .sexy file extension to the encoded data as well. While the amount of the ransom remains not indicated, the cybercriminals insist on contacting via e-mail address to settle the price for a decryption tool. 

Besides, victims are allowed to send one file for a free decryption that doesn't contain any valuable information. Even though crooks try to earn people's trust, we recommend you to focus on the Sexy removal instead. It is clear that they are not going to stop their malicious activity. Thus, do not motivate them by paying the ransom to develop new versions similar to the PayDay ransomware or updating this one. 

Introduction to the new variant of the ransomware

This October, cybersecurity experts from[2] have noticed an example of the crypto-malware that appends .[]-id-.payday file extension at the end of the file-name. It is believed that the ransomware is inextricably linked to BTCWare together with PayDay virus.

Questions about PayDay ransomware virus

After finishing data encryption, the virus delivers !! RETURN FILES !!.txt file which briefly informs about ransomware attack:

all your files have been encrypted
want return files?
write on email:

Later on, the malware opens payday.hta file with further instructions. The latest version includes new email addresses: and The malware has been spotted spreading via spam email entitled as Schedule_order.r03. Though the malware developer pretend to be a representative of KAVITA company, take a look at the message content:

Dear Sir,

Attached, please find attached Memo in the folder for purchase requests

Kindly issue requested Order confirmation at your earliest.

Looking forward to your cooperation in the matter for which thank you beforehand.

The malware felons did not bother themselves to write the message in correct English. Ample of grammar mistakes and lack of punctuation marks already suggest deceptive origin of the message. Furthermore, this PayDay ransomware version employs brute-force attack strategy, specifically looks for weak Remote Desktop protocols. There are third-party tools which help you manage them and change them into more complex ones. 

In order to reduce the probability of ransomware encounter, these recommendations might be of use:

  • set a limit for failed log-in attempts
  • activate two-step verification 
  • update security apps and crucial software such as Java and Adobe Flash Player once the updates are issued
  • set up complex passwords comprised of letters, punctuation marks, characters and numbers (avoid using full dictionary form words)

In any case, make a rush to eliminate crypto-virus from the system and try either BTCWare or HiddenTear decryption software.

Do not open spam e-mails

Common distribution method employed is to send phishing e-mails that download the executable files of the malware. Spam e-mails look extremely genuine. Thus, victims are tricked to open the attachments, which are designed to infiltrate the ransomware into the system. Besides, the file-encrypting virus might spread via malware-laden advertisements and through exploit kits[3] as well. 

Therefore, we suggest you stay away from advertisements that promise too good to be true offers. It is also a good idea to ignore ads from questionable third-party sites, especially if they urge you to install “required updates.” Such updates are typically bundled with malicious components. Finally, beware of exploit kits, who waylay in compromised or simply infectious websites and try to exploit software vulnerabilities in visitors’ computers.

PayDay virus termination procedure

You are advised to remove PayDay virus with a reputable security software since it will save you time and eliminate other malicious programs which might be disrupting your computer's performance. We also want to warn you that the malware might prevent you from downloading the antivirus software. You can circumvent it by booting your PC into Safe Mode before. 

Additionally, you should know that manual PayDay removal is also possible, but not recommended. If you are not experienced enough, you can easily delete wrong files or Registry Keys, which can cause a lot of stability-related computer problems.

Therefore, we suggest you clean the system using Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware (or antivirus that you have). If ransomware prevents from installing or using security software, you should find the instructions below handy.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove PayDay ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall PayDay ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

To remove PayDay virus, follow these steps:

Remove PayDay using Safe Mode with Networking

The presented instructions will show you how to prevent Payday ransomware from blocking you to download the security software.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove PayDay

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete PayDay removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove PayDay using System Restore

Some victims report that the guide mentioned above doesn't seem to help. In such case you should try the alternative method:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of PayDay. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that PayDay removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove PayDay from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by PayDay, you can use several methods to restore them:

Try HiddenTear BruteForcer together with Decryptor to help you retrieve the most important data

Luckily, security experts have developed alternative recovery tools for the victims of different HiddenTear's versions. You should start by downloading HiddenTear BruteForcer and uploading a file with .PNG extension into it. Shortly after, search for the HiddenTear in the Mode menu and launch BruteForce. Afterward, install HiddenTear Decryptor and use the decryption code generated by the BruteForce to recover your data.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from PayDay and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions


Removal guides in other languages