.Payday Files Virus – How to Remove It from Your PC (January 2018)

.Payday Files Virus – How to Remove It from Your PC

This article has been created to help you by showing how to remove PayDay ransomware and how to restore files encrypted with .[keyforyou@tuta.io].-id-{uniqueID}.payday extension.

A new iteration of BTCWare ransomware has been reported to wreak havoc, encrypting victims’ files. The malware aims to encrypt the files on your computer if it infects it and add the file extension .payday after their original one. Only then, the .payday files virus drops a ransom note which demands victims to contact keyforyou@tuta.io in order to get their keys. In the event that your computer has been infected by the .payday ransomware virus, it is strongly advisable to read this article and learn how to remove the PayDay ransomware infection and try to restore your files without having to pay a ransom “fee” to the cyber-crimianals who encrypted your data.

Threat Summary

NamePayDay BTCWare Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer system after which demands to contact the cyber-criminals via e-mailt o negotiate a ransom payoff for the files.
SymptomsThe files on the computer become no longer able to be opened and have the .payday file extension. A ransom note, named !! RETURN FILES !!.txt appears on the victim’s computer.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by PayDay BTCWare Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss PayDay BTCWare Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PayDay Ransomware – Update January 2018

The ransomware has a new variant or more like – a new extension, namely .Wallet. For now it is unknown if this so called .Wallet Files Virus is trying to imitate the Dharma ransomware which used that same extension in the past. Whatever the case, both ransomware threats are working and will encrypt your files if your computer gets infected with any of them. The new email address for contacting the cybercriminals behind the BTCWare virus variants is now arkana@tuta.io. Stay sharp as the malware continues to emerge continuously with new versions, extensions and spam email campaigns.

How Does PayDay Ransomware Spread

In order to be replicated onto the computers of victims, PayDay ransomware aims to use different types of software to remain unnoticed. One of those is malware obfuscation which conceals the virus infection file from protection software. The malicious files, spreading PayDay ransomware on your computer may exist in different forms as e-mail attachments on spammed e-mail messages sent to victims. Such spammed e-mails may contain deceitful messages embedded within them whose end goal is to convince victims to open the attachments on them, for example:

In addition to this, other methods of infection with PayDay ransomware may also be using the malicious file as a fake setup, game patch, license activator.

PayDay Ransomware – More Information

As soon as infection with PayDay ransomware takes place, the virus acts in the same way as other BTCWare ransomware variants, meaning that it drops multiple different malicious files on your computer which may be located in some of the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Among the dropped files is the ransomware’s note file, named as !! RETURN FILES !!.txt and It has the following message to victims:

all your files have been encrypted
want return files?
write on email: keyforyou@tuta.io

In addition to dropping the ransom note, the .payday files ransomware may also obtain administrative permissions. They are used to add values strings in Windows Registry Editor with custom data in them. The primarily targeted registry entries are reported to be as follows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, PayDay ransomware also deletes the shadow volume copies on your computer by executing commands as an administrator in the Windows Command prompt. The commands are as follows:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

PayDay Ransomware – Encryption

The encryption process of PayDay ransomware is performed using the AES encryption algorithm aslo known as Advanced Encryption Standard. The files which PayDay ransomware attacks may have the following file extensions:

→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip

After encryption, the files assume the .payday file extension and may look like the following:

Remove PayDay Virus and Restore .payday Encrypted Files

In order to remove this infection from your computer, it is strongly advisable to follow the instructions for removal below. They are divided in manual and automatic removal manuals. For maximum effectiveness, security experts always recommend to remove ransomware viruses, like PayDay automatically using a ransomware-specific removal software.

If you want to restore files that have been encrypted by this ransomware virus on your computer, it is strongly recommended to try the methods from step “2. Restore files encrypted by PayDay ransomware”. They are specifically designed to help you recover as many files as possible without paying the ransom money for direct decryption, which is not guaranteed.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share