Payfast ransomware (virus) - Recovery Instructions Included

What is Payfast ransomware?

Payfast ransomware is a type of malware that prevents you from accessing your files

Ransomware locks personal files and then asks to pay 0.013 Bitcoin for a decryption tool

Malicious programs are created more rapidly in the past few years, and the illegal business of ransomware has seen an extreme rise. Payfast virus, which belongs to a relatively prominent malware family Zeppelin, is yet another attempt by cybercriminals to monetize victims' misfortune.

Once installed on the system, it performs severe changes to not only the Windows system but also personals files. In fact, the changes of the former are conducted to ensure that the file encryption is performed without any problems. Using a combination of sophisticated algorithms AES and RSA, ransomware encrypts documents, pictures, videos, and all other data on the computer. It excludes several locations on the system, allowing it to function (as destroying system files is not the goal of ransomware infections).

During the encryption process, each file is appended with a specific file extension – .payfast[ID]. While being a later stage of the infection, this symptom is the main one that makes victims realized that something has happened to their machines. For example, a file called picture.jpg would be changed into something like picture.jpg.payfast500.XXX-XXX-XXX (the X's are usually replaced with alphanumeric characters – they change from victim to victim). Also, .payfast290.XXX-XXX-XXX extensions were recently spotted as well. This tendency will likely continue in the future.

Soon after the data locking process, it delivers a ransom note titled !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT. Within the note, cybercriminals explain that users have to pay 0.013 BTC (although this sum is to double within a day) to retrieve a decryption tool that allegedly would restore all the files. Crooks also offer to send a file via payfast290@mail2tor.com or payfast500@mail2tor.com for test decryption – it should hold no important information.

However, security experts do not recommend contacting criminals as they are not obligated to send the decryptor for you. In this article, we will provide you with instructions on dealing with the dangerous ransomware infection for the best outcome for you.

Zeppelin ransomware is not new in the cybersecurity world

While it can be easily said that Djvu is the most prominent ransomware family which targets home users, there are plenty of other strains that also want to benefit from the illegal activity of money extortion. First seen in November 2019, this malware has seen steady growth over the years, and new variants keep emerging regularly. The lineage comes from other ransomware strains, including VegaLocker and Buran.

The virus mainly spreads via contaminated email attachments or links – malspam^[1] remains the most popular malware delivery technique to this day. In order to protect yourself from malware infections, you should always be careful when opening new emails, especially if they include an MS Office file. Never allow macros from these documents to be run on your PC; otherwise, the infection of the system might start immediately. As evident, running a powerful security application at all times should always be something you do.

Payfast ransomware is a variant of a widespread Zeppelin malware

Variants of this ransomware family are known to target high-profile organizations such as hospitals, although small businesses and regular users can also be infected due to the nature of the attack vector. Cybercriminals also choose targets by exploiting vulnerabilities^[2] in corporate network software such as ConnectWise Control.

What to do after you get infected with Payfast ransomware?

First of all, you should not panic. While ransomware is indeed the most devastating infection to home users and corporations, the best thing to do now is to focus on Payfast removal and file recovery. However, it is important to do this correctly, as bad actions can result in personal files being permanently corrupted.

As malware can affect Windows in numerous ways, it might prevent you from removing it. Therefore, you should access Safe Mode with Networking in order to temporarily disable its functions:

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

Once in Safe Mode, you should remove the Payfast virus with the help of anti-malware software such as SpyHunter 5Combo Cleaner or Malwarebytes. Security software should be able to find all the malicious files and entries and remove them automatically for you. Doing this manually should not even be considered. Once malware is deleted, you can proceed with the alternative data recovery methods we provide below.

Next step: what to do with the files

File encryption is the feature of ransomware that makes it so terrible. Many users believe that they will restore their data as soon as they scan their systems with anti-virus software. However, it is not designed for such a purpose and will not restore your files.

The best thing to do would be to recover your files via backups. Your situation is quite a bit more complicated if you have no such backups ready. However, not everything is lost, and you should definitely not rush and pay criminals. They might never send you the decryption tool, or it might simply not work. You will end up losing your money along with your data.

Instead, you should try using recovery software. Before you proceed, however, you should copy the encrypted files onto a separate medium, such as a USB flash drive or SSD, and then disconnect them from your computer. Encrypted data does not hold any malicious code, so it is safe to transfer to other devices.

Once that is done, proceed with using recovery software:

• Download Data Recovery Pro.
• Double-click the installer to launch it.
  
• Follow on-screen instructions to install the software.
• As soon as you press Finish, you can use the app.
• Select Everything or pick individual folders where you want the files to be recovered from.
• Press Next.
• At the bottom, enable Deep scan and pick which Disks you want to be scanned.
• Press Scan and wait till it is complete.
• You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
• Press Recover to retrieve your files.

Security researchers are constantly working on battling malicious actors and helping victims by creating free decryptors. Unfortunately, such a tool is not yet developed for this malware family. There are several places where you could look for decryptors in the future:

• No More Ransom Project
• Free Ransomware Decryptors by Kaspersky
• Free Ransomware Decryption Tools from Emsisoft
• Avast decryptors

Remediate your Windows after malware elimination

In order for Payfast ransomware to be successful, it needs to beat all the obstacles that stand in front of it. First of all, the malware checks the default language of the system and exits without infecting anything when it is set to the following languages:

• Russia
• Belarus
• Ukraine
• Kazakhstan

This tactic is not new and is commonly used by eastern criminals to avoid attention from local authorities. Only if the victim does not come from the aforementioned countries, the infection is immediately initiated.

This then prompts malware to perform multiple malicious tasks, including deleting Shadow Volume Copies to prevent easy data recovery, altering Windows registry^[3] for automatic startup, settings itself to be run with elevated permissions, disabling security software of the most popular anti-malware tools, and much more.

Changes to the system can seriously damage it, resulting in crashes, errors, and other malfunctions after malware elimination. Therefore, in order to fix these problems, we recommend you fix your system using automatic repair software:

• Download FortectIntego
• Click on the ReimageRepair.exe
  
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
• The analysis of your machine will begin immediately
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.

By employing this tool, you would not have to worry about future computer issues, as most of them could be fixed quickly by performing a full system scan at any time. Most importantly, you could avoid the tedious process of Windows reinstallation in case things go very wrong due to one reason or another.

Below you will also find several tips that should help you improve your online security and make data backups to avoid its loss in the future.