Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove PadCrypt 2.0 Ransomware and Restore the Encrypted Files

A new version of the recently appeared PadCrypt ransomware, resembling Cryptolocker includes several new features which are seen for the first time when ransomware infections are present. The ransomware is believed to use an encryption algorithm of “Suite.B” encryption standard which is a military grade encryption. However, all users who are affected by the ransomware should remove this malware immediately and seek for alternative methods to restore the data on their device.

NamePadCrypt 2.0
TypeRansomware
Short DescriptionEncrypts the user’s files with a military grade encryption.
SymptomsThe user may witness a read me file to appear on his desktop along with a program and instructions on how to pay 0.8 BTC to decryt his data.
Distribution MethodVia .exe masked as a .pdf file uploaded as an email attachment in spam messages.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by PadCrypt 2.0
User Experience Join our forum to discuss PadCrypt 2.0.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PadCrypt-ransom-message-sensorstechforum

PadCrypt 2.0 Ransomware – Distribution

In order to be spread onto user PCs the infectors of this malicious threat use massive spam campaigns spreading an infected PDF file that may be named as follows:

  • {random characters}.pdf.exe

The file may be programmed to download its malicious payload onto the user’s computer. The payload is reported to consist of a package file and an uninstaller, a feature that has not been seen in ransomware infections before. The hosts from which those modules are downloaded are believed to be the following:

  • annaflowersweb(.)com
  • subzone3(.)2fh(.)co
  • cloudnet(.)online

PadCrypt 2.0 Ransowmware In Detail

Unlike any other ransomware infection this one includes new features that additionally try to make the user pay the ransom. According to malware researchers, once it has infected the user, PadCrypt may drop its payload in the following locations:

In the user’s Desktop:

  • IMPORTANT READ ME.txt

In the AppData\PadCrypt folder:

  • File Decrypt Help.html
  • PadCrypt.exe
  • package.exe
  • unistl.exe
  • Wallpaper.bmp

In addition to that, PadCrypt 2.0 begins to create or modify registry entries for the payload of the ransomware:

In the key HKEY_CURRENT_USER:

  • SOFTWARE\Microsoft\Windows\CurrentVersion\Run “PadCrypt” = “%AppData%\PadCrypt\PadCrypt.exe”
  • Control Panel\Desktop “Wallpaper” = “%AppData%\PadCrypt\Wallpaper.bmp”
  • Control Panel\Desktop “WallpaperStyle” = 1
  • Control Panel\Desktop “TileWallpaper” = 0

After successfully landing on the user’s PC via the obfuscated payload dropper, the malware begins to encrypt user files. It targets ALL file extensions in the most widely used Windows folders, for example:

  • Desktop
  • Downloads
  • Documents
  • Pictures
  • Users

After doing this, the ransomware may also directly scan the local drives and encrypt any file that is not essential to the successful running of Windows. This means third-party programs and all other files that are detected.

In addition to those, PadCrypt executes a command with administrative privileges via one of its payload modules to delete the shadow volume copies of the infected computer:

→ vssadmin delete shadows /for=z: /all /quiet

The malware also drops a .txt file on the user’s desktop that may be named “IMPORTANT READ ME.txt” and could state the following ransom instructions:

PadCrypt 2.0 Ransom Instructions

This ransomware also has several extras that we were amazed to discover. First, it has a live chat option where you can directly connect and communicate to the cyber criminals for a better “customer service”. Furthermore, it also features a decryptor based on a CMD prompt. What is more, the ransomware claims to decrypt the user files after 6 months, however, it is important to know that this may be a scare tactic and it is advisable not to rely on it.

Remove PadCrypt 2.0 Ransomware and Restore Your Data

What we found extremely comfortable for this ransomware is that it even has an uninstaller that allows the user to remove the malware. However, we advise not to rely on that and to use and advanced anti-malware software to delete all malicious objects including concealed files that may still be on your computer.

Regarding the file restoration, before attempting any payments (~1 BTC which is a lot), it is advisable to try to use the methods below to restore your files. In case they do not work you may not have another choice but either to wait half a year or to hope that a relevant decryptor that discovers weaknesses in PadCrypt 2.0 comes out. Either way, we advise you not to pay the ransom, because you fund the cyber-criminal organization behind it to invest further in their malicious projects and also they may falsely promise to decrypt your files.

1. Boot Your PC In Safe Mode to isolate and remove PadCrypt 2.0
2. Remove PadCrypt 2.0 with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by PadCrypt 2.0 in the future
4. Restore files encrypted by PadCrypt 2.0
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.