The Jigsaw ransomware makes its appearance yet again. Desta vez, it is called Payms. The crypto-virus encrypts more than 120 file extensions like previous variants, adding a .payms extension or a variation of it. Infelizmente, the Jigsaw ransomware is sold on the Dark Web for less money than what is asked for a ransom payment per victim. To know how to restore your files and remove this ransomware, variant you should read the article carefully.
|Pequena descrição||The ransomware encrypts files by adding a .payms extension and asks a ransom for decryption.|
|Os sintomas||Arquivos com mais de 120 various extensions are encrypted. Every hour files get erased if the ransom is not paid.|
|distribuição Método||Os e-mails de spam, Anexos de e-mail, Redes de compartilhamento de arquivos|
|Ferramenta de detecção|| See If Your System Has Been Affected by Payms Ransomware |
Remoção de Malware Ferramenta
|Experiência de usuário||Participe do nosso Fórum to Discuss Payms Ransomware.|
|Ferramenta de recuperação de dados||Windows Data Recovery por Stellar Phoenix Aviso prévio! Este produto verifica seus setores de unidade para recuperar arquivos perdidos e não pode recuperar 100% dos arquivos criptografados, mas apenas alguns deles, dependendo da situação e se você tem ou não reformatado a unidade.|
Payms Ransomware – Distribution
Payms ransomware can distribute via a couple of ways. Your computer could get infected with the crypto-virus through spam e-mails which have an attachment with malicious code inside them. If the attachment is opened, malware might be injected inside your computer system. The file possibly has a name such as firefox.exe or something similar, so to try and trick you.
Past variants of the presently named Payms ransomware were delivered through social media sites and some file-share system, também. DropBox could still be a way of distribution as the original variant of the ransomware used that as well. Avoiding all suspicious files, ligações, and websites is a highly recommended action as there you might find malware such as this one.
Payms Ransomware – Technical Description
o Payms crypto-virus is classified as ransomware. All of your files will be encrypted and become unusable. The malware demands BitCoins as the payment method for the ransom. If you do not meet certain criteria, your files will get deleted on an hourly basis, and the ransom price will increase. No real theme is used for this ransomware (as past variants used themes), but just plain text.
Nos diretórios %Dados do aplicativo% e %LocalAppData% files may be created to assist the ransomware with its operations.
o Registro do Windows may undergo modifications as well. The following registry value is added respectively:
HKCU Software Microsoft Windows CurrentVersion Run [nome aleatório].exe %UserProfile%\AppData\Roaming\[directory to that exe]
The registry value set in the Registry will automatically load a specific executable, related to the ransomware. Every start of the Windows Operating System will load the file which executes the Payms ransomware.
The next action of the ransomware will be to show a lock screen which is solely text with payment instructions.
Aqui está como a tela de bloqueio parece:
The ransomware demands a payment of 150 dólares norte-americanos, within the first 24 horas, paid in BitCoins. If you do not pay, the ransomware will delete some of your files with each hour that passes and the ransom price will increase to 225 dólares norte-americanos. There is no information about the sum getting bigger after that.
The message which is shown with the lock screen is:
Your files are encrypted you must pay $150 USD ($225 USD depois 24 hrs) in Bitcoins to unlock them. Send Bitcoins to the address specified. If you need help, you can talk to us via the chat page. There is a file on your desktop named Payment_Instructions with the same information.
Sus archivos estan encriptados tiene que pagar $ 150 USD ($ 225 USD despues de 24 horas) en Bitcoins para desbloquearlos. Envia los Bitcoins a la direccion indicada. Si necesita ayuda puede hablar con nosotros a traves de la pagina de chat. Hay un archivo en el escritorio llamado Payment_Instructions con la misma informacion.
Visit the chat / Visita el chat: http://783629.6para(.)líquido
COMPUTER IS LOCKED. IF YOU TRY TO TAMPER WITH THIS PROGRAM ALL YOUR FILES WILL BE DELETED.
COMPUTADORA ESTA BLOQUEADA. SI INTENTA MANIULAR ESTE PROGRAMA TODOS LOS ARCHIVOS SERAN ELIMINADOS.
1. Go to www.LocalBitcoins(.)com, Register and purchase Bitcoins.
2. Copy the Bitcoins address on the left and send the coins to that address from your localbitcoins profile.
3. Click below that you paid.
4. Our system will recognize the payment and unblock all your files instantly and delete itself.
1. Ir a www.LocalBitcoins(.)com, registrar y comprar bitcoins.
2. Copie la direccion de Bitcoins en la izquierda y enviar las monedas a esa direccion desde su perfil en localbitcoins.
3. Haga clic que ha pagado.
4. Nuestro sistema reconocera el pago, desbloqueara todos los archivos al instante y se borrara el mismo.
If you go to the chat page (currently redirecting to other pages) you will see part of the payment instructions there as well:
Paying the ransom asked by the Payms ransomware is highly unadvised. You cannot receive any guarantee from anyone that you will get your files back and that they will work properly as before. Giving money to the cyber criminals will support them to make other crimes or improve the ransomware. Estar ciente, that at the end of the article you can find restoration methods described. A decryptor is also present thanks to the malware researcher Michael Gillespie.
o Payms ransomware searches for files to encrypt them on all kinds of storage devices – HDDs, SSDs, internal and external. This variant will also search for files with more than 120 extensões. The file list is the following:
→ .3dm, .3g2, .3gp, .Afa, .ACCDB, .aep, .aepx, .aet, .para, .FIA, .Como, .as3, .asf, .áspide, .asx, .avi, .bmp, .c, .classe, .cpp, .cs, .csv, .jpeg, .jpg, .js, .rtf, .sdf, .sua, .sldm, .sldx, .sql, .SVG, .swf, .tif, .TXT, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .M3U8, .m4u, .max, .mdb, .médio, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .PLB, .pmd, .png, .maconha, .potm, .potx, .ppam, .RPM, .pps, .ppsm, .ppsx, .ppt, .pptm, .PPTX, .Prel, .prproj, .ps, .psd, .py, .fora, .cru, .rb, .XLL, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, ..xlw, .xml, .XQX, .XQX, .que, .db, .dbf, .doutor, .docb, .docm, .docx, .ponto, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .IDML, .sse, .inh, .indd, .território, .entrada, .INX, .jarra, .Java
o AES algorithm keeps being the one used for the encryption process of this variant of the Jigsaw ransomware. Os conjuntos de ransomware .payms as the extension of all encrypted files. o .paymst e .pays extensions could be used for encryption in other versions. If you restart your PC, there is a chance that you can lose about 1,000 of your encrypted files.
The core of the ransomware is still the same. Thus the solution to restore your files is still available. In case you have restarted your computer after being infected and lost some of your files – don’t worry. Data Recovery software can aid you to recover some of the files.
Remove Payms Ransomware and Restore .payms, .pays, .paymst Files
E se Payms ransomware infectado o sistema, do not be worried, because a solution is available to decrypt your files for free. Se você foi infectado por este ransomware, you should have a little experience in removing viruses. Check the instructions written down below to see how you can recover your files.