Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove PadCrypt Ransomware and Restore .ETC Files

Meet PadCrypt, a new addition to the ransomware malware category just detected by malware researchers at abuse(.)ch and analyzed by MalwareHunterTeam. Once installed on a system, PadCrypt will encrypt certain files and append an .ETC extension. The demanded payment is 0.8 Bitcoin, or approximately $320.

Name PadCrypt Ransomware
Type Ransomware
Short Description PadCrypt ransomware has features similar to CryptoWall. It uses the AES algorithm.
Symptoms The victim’s files are locked and have an .ETC extension appended.
Distribution Method Via spam email attachments containing PDF files.
Detection Tool Download Malware Removal Tool, to See If Your System Has Been Affected by PadCrypt Ransomware
User Experience Join our forum to discuss PadCrypt Ransomware.

PadCrypt General Description

Unfortunately, PadCrypt is designed to delete Shadow Volume Copies, but has an uninstaller featured inside its code. Interestingly enough, PadCrypt provides live chat support to its victims, possibly to increase the chance of victims paying the ransom. A live chat support in real time will guide victims through the frustrating payment process, and would act as a guarantee for the decryption key delivery. Currently, this feature is not available because the command & control servers are offline.

Also, the ransomware has a lot in common with CryptoWall, which is not that surprising. Cyber criminals just love to imitate CryptoWall, proven to be one of the most notorious ransomware pieces ever written.
For example, some versions of CryptoWall also had live support, but it was a Web-based chat that was supported by the website where victims would pay the ransom. PadCrypt’s live chat is available directly on the victim’s machine, and the victim doesn’t need to launch a browser or install Tor.

PadCrypt Ransomware Distribution Techniques

Ransomware is often spread in email spam campaigns, featuring malicious email attachments and archive files. Researchers believe that PadCrypt is spread via PDF files attached in the email bofy. Cyber criminals often send specially crafted emails, representing legitimate entities such as governmental institutions or well-known services, to trick users into opening them.

Learn how to increase your protection against spam

Keep in mind that, spam emails aside, ransomware pieces can be dropped by Trojan horses either contained in a malicious attachment or hosted on a malicious website. Trojans also lurk in torrents and p2p pages, and can be installed on a victim’s machine via a drive-by download.

PadCrypt Ransomware Technical Description

Once that malicious PDF file observed in this campaign (possibly named something like DPD_11394029384.pdf.scr) is executed, the user’s machine is infected with PadCrypt. The PDF itself is an executable file renamed with the .scr extension. Once it is executed, the package.pdcr and uninstl.pdcr files are downloaded from the disabled C&C servers, as pointed out by Bleeping Computer.

Researchers have identified the following command & control servers associated with PadCrypt:

  • annaflowersweb(.)com;
  • subzone3.2fh(.)co;
  • cloudnet(.)online.

Other Technical Details

PadCrypt main executable: package.pdcr
PadCrypt uninstaller: uninstl.pdcr

N.B. Both of the files are stored in the %AppData%\PadCrypt folder.

A curious theory about the existence of an uninstaller is that the ransomware creators may have used templates, and as a result the uninstaller was generated automatically, as pointed out by Softpedia.

PadCrypt Ransomware Encryption Process

Once the ransomware is launched, it will scan the local drives for files with certain extensions and will then crypt them via the AES algorithm. As a result, the encrypted files with have the .ENC extension appended to them.
All encrypted files are recorded in the %AppData%\PadCrypt\files.txt file.

The file extensions targeted by PadCrypt are:

→pdf, gif, bmp, jpeg, jpg, png, doc, docx, ppt, ptx, psd, pdn

As mentioned in the beginning, PadCrypt also targets and deletes the Shadow Volume Copies by executing the following command:

→vssadmin delete shadows /for=z: /all /quiet

Once the encryption process is finished, PadCrypt will create an IMPORTANT READ ME.txt file on the desktop, containing ransomware instructions:

IMPORTANT-READ-ME-padcrypt-ransomware-stforum
Image Source: Bleeping Computer

PadCrypt Ransomware Removal Options

Quite curiously, the C&C servers for PadCrypt are currently offline which possibly means that its creators have found flaws in their code (and are probably trying to fix them as we speak). In case of infection, the victim should immediately back up their data and remove the ransomware via a strong anti-malware program. As mentioned, the PadCrypt uninstaller is downloaded during the ransomware installation. However, if the uninstaller is also downloaded from the C&C servers which are currently unavailable, it won’t be available either.

Follow these instructions to clean your system and back up your data.

1. Boot Your PC In Safe Mode to isolate and remove PadCrypt Ransomware
2. Remove PadCrypt Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by PadCrypt Ransomware in the future
4. Restore files encrypted by PadCrypt Ransomware
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the PadCrypt Ransomware threat: Manual removal of PadCrypt Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.