Remove Invisible Empire Ransomware and Restore .payransom Files - How to, Technology and PC Security Forum |

Remove Invisible Empire Ransomware and Restore .payransom Files


The Jigsaw ransomware is back again with a fresh variant. The theme of this variant is the Invisible Empire art exhibit made by Juha Arvid Helminen. The ransomware is called Invisible Empire and named after the exhibition. This crypto-virus encrypts files with more than 120 extensions as its past variants, adding a .payransom extension. To know how to restore your files and remove the ransomware, you should read the article in full.

Threat Summary

NameInvisible Empire
Short DescriptionThe ransomware encrypts files by adding a .payransom extension and asks a ransom for decryption.
SymptomsFiles with more than 120 different extensions are encrypted. A Invisible Empire themed lock screen with instructions for paying is displayed. Every hour files are erased if the ransom money is not paid.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Invisible Empire


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Invisible Empire.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Invisible Empire Ransomware – How Does It Spread?

Multiple ways exist that spread the Invisible Empire ransomware. You might get infected with it through spam e-mails containing an attachment with a malicious code inside. If such an attachment is opened, the malware could be injected inside your machine. The file probably has a name like firefox.exe or of something popular and useful so it can trick you.

Previous variants of the now called Invisible Empire ransomware were spread via social media networks and file-sharing systems as well. DropBox is still not an excluded way of distribution – it might be still in play. You should avoid all suspicious files, websites, and links as they could very well be just another method of infecting you with the malware.

Invisible Empire Ransomware – Technical Description

The Invisible Empire crypto-virus is also classified as ransomware. It will encrypt all your files, and they will become simply unusable. The virus demands BitCoins as payment for the ransom. If you do not meet the required criteria, your files will be deleted on an hourly basis. The ransomware is a clone of other ransomware. Its previous variants are the Jigsaw ransomware and CryptoHitman ransomware. Nor the Hitman character nor the ‘Saw’ puppet is used as a theme for the ransomware – this time, it is a popular art exhibit.

In the directories %AppData%\Systmd\, %LocalAppData%\Wrkms\ and %AppData%\System32Work, the files that will be created are:

  • systmd.exe
  • wrkms.exe
  • Address.txt
  • EncryptedFileList.txt

The Windows Registry is modified, too. This added registry value is:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\wrkms.exe %UserProfile%\AppData\Roaming\Wrkms\wrkms.exe

The registry value, which is set makes the file wrkms.exe to automatically start. Every loading of the Windows Operating System will launch the file executing the Invisible Empire ransomware.

What follows is, that the ransomware will display a lock screen themed after an art exhibit of the same name done by Juha Arvid Helminen. The theme of the exhibition is to show how law enforcement officers can hide behind their uniforms and commit crimes. The ransomware bears the name of this exhibit and to be more precise – Invisible Empire.

The instructions for payment are slowly being written live on the lock screen as if somebody is typing them out at precisely that time:


You are demanded to pay 150 US dollars, in BitCoins, within the hour. If you do not comply, the ransomware claims that with each passing hour, encrypted files will get removed from your drives and eventually you will lose all of your files. The sum doubles if you don’t pay within 24 hours and triples if the payment is not complete in 48 hours.

The message that is being typed out at the lock screen is:

Your files have been encrypted.
You must pay $150 USD in Bitcoins to the address specified below.
Depending on the amount of files you have your Ransom can double to $300 USD after 24 hours
of non payment and triple to $450 USD after 48 hours of nonpayment.
Your payment amount will be shown below.
We will delete files every hour until you pay!
If you do not have Bitcoins visit to purchase them.
Your payment BTC Address is below. Files are decrypted instantly after payment.
Everytime you restart your computer it recrypts everything. It will take a while
for you to see the this screen again. Copy the BTC address and email it to yourself.
If you copy it on your computer the file will be crypted when you restart the computer.
Every time you restart the computer you run the risk of damaging the hard drive.
Files are decrypted instantly after payment is received.

3 files will be deleted. 3 archivos seran borrados.

Send – Envie $150 worth of Bitcoins here – de Bitcoins aqui:

As a side note in the lock screen, the following text is written:

To purchase if you dont have any.
Send the coins to the address specified.

To pay the ransom of the Invisible Empire ransomware goes unadvised. You cannot have any guarantee from anybody that you will get your files back and if they will work. Spending money to support cyber criminals can only fuel them with inspiration and capital to commit more crimes or enhance the ransomware they have. Take note, that at the end of this article, some restoration methods are described, and you can also read about a decryptor.

The Invisible Empire ransomware searches to encrypt files on all types of storage devices – HDDs, SSDs, external or internal. This variant again will search for files with more than 120 extensions. The known list is this:

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java

The AES algorithm is still used for the encryption process of this Jigsaw ransomware clone. This variant of the ransomware puts .payransom as the extension of the encrypted files. If you restart your machine, there is a possibility that nearly 1,000 out of all encrypted files might get wiped from your disc drives.

As the core of the ransomware hasn’t changed, there is still a solution to restore your files. In case you already restarted your computer after the encryption process was complete and lost some files – don’t worry. Data Recovery tools can help you recover part of the files.

Remove Invisible Empire Ransomware and Restore .payransom Encrypted Files

If Invisible Empire ransomware infected your computer, don’t you worry, because a solution for free decryption of the files exists. If you got infected by the ransomware, you should have at least a little experience in removing viruses. See the instructions written down below to see how to recover your files.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share