Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Paysafe Generator Virus and Restore .cry_ Files

stf-paysafe-generator-ransomware-german-message-ransom-note

Paysafe Generator 2016 is the name for a cryptovirus that pretends to be a key generator for Paysafe card codes and make you money. In fact, it is ransomware and the irony is that its developers demand payment in Paysafe. The encrypted files have the extension .cry_ placed just between the dot and the name of the original extension. It claims to use the 256-bit AES encryption algorithm, and its ransom note is written in German.

To see how to remove the ransomware and how you can try restoring your files, read the article.

Threat Summary

Name Paysafe Generator
Type Ransomware, Cryptovirus
Short Description The ransomware pretends to be a Paysafe keycode generator, but instead is ransomware. It will encrypt your files and then display a ransom note with instructions for payment in the German language.
Symptoms All encrypted files will get the interfix .cry_ placed in their extensions.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Paysafe Generator

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Paysafe Generator.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Paysafe Generator Virus – Distribution

The Paysafe Generator ransomware could get inside your personal computer in a couple of ways. The payload file could be spread through spam emails. In most cases, these spam emails have an attached file and are written in a way to make you believe that their contents are important. If you open the attachment, it will release a malicious script and infect your computer machine. You can check the detections of one such file on the VirusTotal website from here:

stf-paysafe-generator-ransomware-virus-total-detections

stf-fake-paysafe-generator-2016-german-ransomware

The Paysafe Generator virus could infect your computer by distributing its payload file on social media and file-sharing services. Also, it can be advertised as a program that generates Paysafe codes as seen in the picture. Refrain from opening files that come from suspicious emails, links or unknown sources. Before opening, you should first do a scan with a security application and check the files, including their size and signatures. You should read the tips for preventing ransomware from the thread in the forum.

Paysafe Generator Virus – In Depth

The Paysafe Generator 2016 is a virus discovered by the malware researcher Jakub Kroustek from Avast. The virus pretends to be a generator tool for Paysafe codes. Instead, you will get your files encrypted and will get .cry_ in the name of their extensions.

When the Paysafe Generator ransomware executes its payload, it could create entries in the Windows Registry. That can make the ransomware harder to remove, and it could spread more of its files in different locations on your personal computer. The registry entries could also make the cryptovirus launch automatically with every boot of the Windows operating system.

You can see a screenshot of the ransom message down here:

stf-paysafe-generator-ransomware-german-message-ransom-note

The ransom note is written in the German language. It reads the following:

!WARNUNG!
ALLE wichtigen Dateien und/oder Programme auf ihrem Computer
wurden mit AES-256 verschlüsselt. Das bedeutet Sie
können ihre Dateien und Programme erst wieder
verwenden wenn Sie sich einen 128-Stelligen
Entschlüsslungscode für 100€ kaufen. Nachdem sich dieses
Fenster geschlossen hat, finden Sie auf ihrem Desktop
eine Datei mit dem Namen “Kaufen” oder “Kaufen.exe”.
Geben Sie dort einen gültigen 100€-Paysafecardcode und
ihre Email ein. Paysafecardcodes finded Sie in fast jeder
Tankstelle und/oder Supermärkten. Nach der Verifizierung
des Codes durch uns bekommen Sie per Email den
Entschlüsslungscode zusammen mit weiteren
Instruktionen, um ihre Dateien zu entschlüsseln.

FALLS INNERHALB DER NÄCHSTEN 72 STUNDEN KEINE
ZAHLUNG ERFOLGT WERDEN ALLE DATEN GELÖSCHT.
Drücken Sie jetzt ENTER um auf
Ihren Desktop zurückzukehren.

A rough English translation of the note is shown below:

!WARNING!
ALL important files and / or programs on your computer
were encrypted with AES-256. That means you
can restore the files and programs only when you buy
a 128-digit decryption code for 100 €. After this
window closes, you will find on your desktop
a file named “Buy” or “Buy.exe”.
Enter a valid 100 € -Paysafecard and your email.
You can find Paysafecard codes in almost every
gas station and / or supermarkets. After the verification
of the code, you will be sent by email
decryption code along with other
instructions to decrypt your files.

IF IN THE NEXT 72 HOURS NO
PAYMENT, ALL DATA WILL BE DELETED.
Press ENTER to enter
your desktop.

Ironically, you are asked to buy a Paysafe code and pay 100 euros to the cybercriminals. The ransom note threatens to delete all of your files if you don’t pay the crooks in the next 72 hours. However, you should NOT think of paying as that will just support the extortionists. Nobody can give you a guarantee that paying will recover your files to their previous state. Furthermore, the criminals will probably use the money to create new ransomware.

On the following picture, you can see the Buy.exe file loaded, which has empty fields for where you can put the Paysafe code and your email to receive a code for decryption:

stf-paysafe-generator-kaufen-box

The above image is displayed for informative purposes, only.

The Paysafe Generator ransomware will encrypt files and place .cry_ as the beginning of every file extension of encrypted files. The following list is confirmed to contain file extensions which the virus seeks to encrypt:

→.doc, .docx, .jpg, .mp3, .pdf, .png, .txt, .xls, .xlsx

Surely, more file types such as documents, picture and music are being encrypted, too. The Paysafe Generator virus is very likely to delete the Shadow Volume Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue reading to see what kind of methods you can try for restoring some of your files.

Remove Paysafe Generator and Restore .cry_ Files

If your computer got infected with the Paysafe Generator ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Paysafe Generator.

Manually delete Paysafe Generator from your computer

Note! Substantial notification about the Paysafe Generator threat: Manual removal of Paysafe Generator requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Paysafe Generator files and objects
2.Find malicious files created by Paysafe Generator on your PC

Automatically remove Paysafe Generator by downloading an advanced anti-malware program

1. Remove Paysafe Generator with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Paysafe Generator
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.