.Payday Files Virus – How to Remove It from Your PC (January 2018)
THREAT REMOVAL

.Payday Files Virus – How to Remove It from Your PC

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by PayDay BTCWare Virus and other threats.
Threats such as PayDay BTCWare Virus may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created to help you by showing how to remove PayDay ransomware and how to restore files encrypted with .[[email protected]].-id-{uniqueID}.payday extension.

A new iteration of BTCWare ransomware has been reported to wreak havoc, encrypting victims’ files. The malware aims to encrypt the files on your computer if it infects it and add the file extension .payday after their original one. Only then, the .payday files virus drops a ransom note which demands victims to contact [email protected] in order to get their keys. In the event that your computer has been infected by the .payday ransomware virus, it is strongly advisable to read this article and learn how to remove the PayDay ransomware infection and try to restore your files without having to pay a ransom “fee” to the cyber-crimianals who encrypted your data.

Threat Summary

NamePayDay BTCWare Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer system after which demands to contact the cyber-criminals via e-mailt o negotiate a ransom payoff for the files.
SymptomsThe files on the computer become no longer able to be opened and have the .payday file extension. A ransom note, named !! RETURN FILES !!.txt appears on the victim’s computer.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by PayDay BTCWare Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss PayDay BTCWare Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PayDay Ransomware – Update January 2018

The ransomware has a new variant or more like – a new extension, namely .Wallet. For now it is unknown if this so called .Wallet Files Virus is trying to imitate the Dharma ransomware which used that same extension in the past. Whatever the case, both ransomware threats are working and will encrypt your files if your computer gets infected with any of them. The new email address for contacting the cybercriminals behind the BTCWare virus variants is now [email protected]. Stay sharp as the malware continues to emerge continuously with new versions, extensions and spam email campaigns.

How Does PayDay Ransomware Spread

In order to be replicated onto the computers of victims, PayDay ransomware aims to use different types of software to remain unnoticed. One of those is malware obfuscation which conceals the virus infection file from protection software. The malicious files, spreading PayDay ransomware on your computer may exist in different forms as e-mail attachments on spammed e-mail messages sent to victims. Such spammed e-mails may contain deceitful messages embedded within them whose end goal is to convince victims to open the attachments on them, for example:

In addition to this, other methods of infection with PayDay ransomware may also be using the malicious file as a fake setup, game patch, license activator.

PayDay Ransomware – More Information

As soon as infection with PayDay ransomware takes place, the virus acts in the same way as other BTCWare ransomware variants, meaning that it drops multiple different malicious files on your computer which may be located in some of the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

Among the dropped files is the ransomware’s note file, named as !! RETURN FILES !!.txt and It has the following message to victims:

all your files have been encrypted
want return files?
write on email: [email protected]

In addition to dropping the ransom note, the .payday files ransomware may also obtain administrative permissions. They are used to add values strings in Windows Registry Editor with custom data in them. The primarily targeted registry entries are reported to be as follows:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to this, PayDay ransomware also deletes the shadow volume copies on your computer by executing commands as an administrator in the Windows Command prompt. The commands are as follows:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

PayDay Ransomware – Encryption

The encryption process of PayDay ransomware is performed using the AES encryption algorithm aslo known as Advanced Encryption Standard. The files which PayDay ransomware attacks may have the following file extensions:

→ .1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip

After encryption, the files assume the .payday file extension and may look like the following:

Remove PayDay Virus and Restore .payday Encrypted Files

In order to remove this infection from your computer, it is strongly advisable to follow the instructions for removal below. They are divided in manual and automatic removal manuals. For maximum effectiveness, security experts always recommend to remove ransomware viruses, like PayDay automatically using a ransomware-specific removal software.

If you want to restore files that have been encrypted by this ransomware virus on your computer, it is strongly recommended to try the methods from step “2. Restore files encrypted by PayDay ransomware”. They are specifically designed to help you recover as many files as possible without paying the ransom money for direct decryption, which is not guaranteed.

Note! Your computer system may be affected by PayDay BTCWare Virus and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as PayDay BTCWare Virus.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove PayDay BTCWare Virus follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove PayDay BTCWare Virus files and objects
2. Find files created by PayDay BTCWare Virus on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by PayDay BTCWare Virus

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...