Meet PadCrypt, a new addition to the ransomware malware category just detected by malware researchers at abuse(.)ch and analyzed by MalwareHunterTeam. Once installed on a system, PadCrypt will encrypt certain files and append an .ETC extension. The demanded payment is 0.8 Bitcoin, or approximately $320.
|Short Description||PadCrypt ransomware has features similar to CryptoWall. It uses the AES algorithm.|
|Symptoms||The victim’s files are locked and have an .ETC extension appended.|
|Distribution Method||Via spam email attachments containing PDF files.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by PadCrypt Ransomware|
|User Experience||Join our forum to discuss PadCrypt Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
PadCrypt General Description
Unfortunately, PadCrypt is designed to delete Shadow Volume Copies, but has an uninstaller featured inside its code. Interestingly enough, PadCrypt provides live chat support to its victims, possibly to increase the chance of victims paying the ransom. A live chat support in real time will guide victims through the frustrating payment process, and would act as a guarantee for the decryption key delivery. Currently, this feature is not available because the command & control servers are offline.
Also, the ransomware has a lot in common with CryptoWall, which is not that surprising. Cyber criminals just love to imitate CryptoWall, proven to be one of the most notorious ransomware pieces ever written.
For example, some versions of CryptoWall also had live support, but it was a Web-based chat that was supported by the website where victims would pay the ransom. PadCrypt’s live chat is available directly on the victim’s machine, and the victim doesn’t need to launch a browser or install Tor.
PadCrypt Ransomware Distribution Techniques
Ransomware is often spread in email spam campaigns, featuring malicious email attachments and archive files. Researchers believe that PadCrypt is spread via PDF files attached in the email bofy. Cyber criminals often send specially crafted emails, representing legitimate entities such as governmental institutions or well-known services, to trick users into opening them.
Learn how to increase your protection against spam
Keep in mind that, spam emails aside, ransomware pieces can be dropped by Trojan horses either contained in a malicious attachment or hosted on a malicious website. Trojans also lurk in torrents and p2p pages, and can be installed on a victim’s machine via a drive-by download.
PadCrypt Ransomware Technical Description
Once that malicious PDF file observed in this campaign (possibly named something like DPD_11394029384.pdf.scr) is executed, the user’s machine is infected with PadCrypt. The PDF itself is an executable file renamed with the .scr extension. Once it is executed, the package.pdcr and uninstl.pdcr files are downloaded from the disabled C&C servers, as pointed out by Bleeping Computer.
Researchers have identified the following command & control servers associated with PadCrypt:
Other Technical Details
PadCrypt main executable: package.pdcr
PadCrypt uninstaller: uninstl.pdcr
N.B. Both of the files are stored in the %AppData%\PadCrypt folder.
A curious theory about the existence of an uninstaller is that the ransomware creators may have used templates, and as a result the uninstaller was generated automatically, as pointed out by Softpedia.
PadCrypt Ransomware Encryption Process
Once the ransomware is launched, it will scan the local drives for files with certain extensions and will then crypt them via the AES algorithm. As a result, the encrypted files with have the .ENC extension appended to them.
All encrypted files are recorded in the %AppData%\PadCrypt\files.txt file.
The file extensions targeted by PadCrypt are:
→pdf, gif, bmp, jpeg, jpg, png, doc, docx, ppt, ptx, psd, pdn
As mentioned in the beginning, PadCrypt also targets and deletes the Shadow Volume Copies by executing the following command:
→vssadmin delete shadows /for=z: /all /quiet
Once the encryption process is finished, PadCrypt will create an IMPORTANT READ ME.txt file on the desktop, containing ransomware instructions:
Image Source: Bleeping Computer
PadCrypt Ransomware Removal Options
Quite curiously, the C&C servers for PadCrypt are currently offline which possibly means that its creators have found flaws in their code (and are probably trying to fix them as we speak). In case of infection, the victim should immediately back up their data and remove the ransomware via a strong anti-malware program. As mentioned, the PadCrypt uninstaller is downloaded during the ransomware installation. However, if the uninstaller is also downloaded from the C&C servers which are currently unavailable, it won’t be available either.
Follow these instructions to clean your system and back up your data.