Remove PadCrypt Ransomware and Restore .ETC Files - How to, Technology and PC Security Forum |

Remove PadCrypt Ransomware and Restore .ETC Files

Meet PadCrypt, a new addition to the ransomware malware category just detected by malware researchers at abuse(.)ch and analyzed by MalwareHunterTeam. Once installed on a system, PadCrypt will encrypt certain files and append an .ETC extension. The demanded payment is 0.8 Bitcoin, or approximately $320.

NamePadCrypt Ransomware
Short DescriptionPadCrypt ransomware has features similar to CryptoWall. It uses the AES algorithm.
SymptomsThe victim’s files are locked and have an .ETC extension appended.
Distribution MethodVia spam email attachments containing PDF files.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by PadCrypt Ransomware
User Experience Join our forum to discuss PadCrypt Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PadCrypt General Description

Unfortunately, PadCrypt is designed to delete Shadow Volume Copies, but has an uninstaller featured inside its code. Interestingly enough, PadCrypt provides live chat support to its victims, possibly to increase the chance of victims paying the ransom. A live chat support in real time will guide victims through the frustrating payment process, and would act as a guarantee for the decryption key delivery. Currently, this feature is not available because the command & control servers are offline.

Also, the ransomware has a lot in common with CryptoWall, which is not that surprising. Cyber criminals just love to imitate CryptoWall, proven to be one of the most notorious ransomware pieces ever written.
For example, some versions of CryptoWall also had live support, but it was a Web-based chat that was supported by the website where victims would pay the ransom. PadCrypt’s live chat is available directly on the victim’s machine, and the victim doesn’t need to launch a browser or install Tor.

PadCrypt Ransomware Distribution Techniques

Ransomware is often spread in email spam campaigns, featuring malicious email attachments and archive files. Researchers believe that PadCrypt is spread via PDF files attached in the email bofy. Cyber criminals often send specially crafted emails, representing legitimate entities such as governmental institutions or well-known services, to trick users into opening them.

Learn how to increase your protection against spam

Keep in mind that, spam emails aside, ransomware pieces can be dropped by Trojan horses either contained in a malicious attachment or hosted on a malicious website. Trojans also lurk in torrents and p2p pages, and can be installed on a victim’s machine via a drive-by download.

PadCrypt Ransomware Technical Description

Once that malicious PDF file observed in this campaign (possibly named something like DPD_11394029384.pdf.scr) is executed, the user’s machine is infected with PadCrypt. The PDF itself is an executable file renamed with the .scr extension. Once it is executed, the package.pdcr and uninstl.pdcr files are downloaded from the disabled C&C servers, as pointed out by Bleeping Computer.

Researchers have identified the following command & control servers associated with PadCrypt:

  • annaflowersweb(.)com;
  • subzone3.2fh(.)co;
  • cloudnet(.)online.

Other Technical Details

PadCrypt main executable: package.pdcr
PadCrypt uninstaller: uninstl.pdcr

N.B. Both of the files are stored in the %AppData%\PadCrypt folder.

A curious theory about the existence of an uninstaller is that the ransomware creators may have used templates, and as a result the uninstaller was generated automatically, as pointed out by Softpedia.

PadCrypt Ransomware Encryption Process

Once the ransomware is launched, it will scan the local drives for files with certain extensions and will then crypt them via the AES algorithm. As a result, the encrypted files with have the .ENC extension appended to them.
All encrypted files are recorded in the %AppData%\PadCrypt\files.txt file.

The file extensions targeted by PadCrypt are:

→pdf, gif, bmp, jpeg, jpg, png, doc, docx, ppt, ptx, psd, pdn

As mentioned in the beginning, PadCrypt also targets and deletes the Shadow Volume Copies by executing the following command:

→vssadmin delete shadows /for=z: /all /quiet

Once the encryption process is finished, PadCrypt will create an IMPORTANT READ ME.txt file on the desktop, containing ransomware instructions:

Image Source: Bleeping Computer

PadCrypt Ransomware Removal Options

Quite curiously, the C&C servers for PadCrypt are currently offline which possibly means that its creators have found flaws in their code (and are probably trying to fix them as we speak). In case of infection, the victim should immediately back up their data and remove the ransomware via a strong anti-malware program. As mentioned, the PadCrypt uninstaller is downloaded during the ransomware installation. However, if the uninstaller is also downloaded from the C&C servers which are currently unavailable, it won’t be available either.

Follow these instructions to clean your system and back up your data.

1. Boot Your PC In Safe Mode to isolate and remove PadCrypt Ransomware
2. Remove PadCrypt Ransomware with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by PadCrypt Ransomware in the future
4. Restore files encrypted by PadCrypt Ransomware
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the PadCrypt Ransomware threat: Manual removal of PadCrypt Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share