Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove PayCrypt Ransomware and Restore Id Encrypted Files

A new ransomware from the [email protected] variants has been spotted and reported out in the wild. It carries the name PayCrypt and locks user files appending a random identification file extension with the [email protected] e-mail address. The encrypted files are rendered corrupt, and affected users’ only viable choice seems to be following the ransom instructions which the virus sets as wallpaper. They include contacting the e-mail address and negotiating the ransom payment. We strongly advise affected users not to pay the ransom and to seek alternative file decryption methods.

NamePayCrypt
TypeRansomware.
Short DescriptionEncrypts your files demanding ransom payment for their decryption.
SymptomsThe user may witness the wallpaper changed to the one posted below and his files to have a custom extension and become DOS type of files.
Distribution MethodVia malicious files, Exploit Kits or malicious URLs.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by PayCrypt
User Experience Join our forum to discuss PayCrypt.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

PayCrypt Ransomware – Spread

To be redistributed over the web, the crypto-malware may use various methods. Since the infected file dropped on the victim computers is an executable with a random alpha numerical name, experts would suggest that it was copied to the computer via several different distribution methods:

  • As an attachment via a spam email message.
  • As a file that has been dropped via an exploit kit.
  • A drive-by download of a Dropper caused by visiting a malicious link.

Users are strongly advised always to check unfamiliar files and links using their antivirus or services such as VirusTotal.

PayCrypt Ransomware In Detail

Once the [email protected] ransomware has been activated on the user’s PC, it may create files several files in key folders:

  • %AppData%
  • %AppData%
  • %Temp%
  • %Windows%
  • %UserProfile%
  • %Roaming%

After doing so, the ransomware may seek to encrypt files that are commonly used (http://fileinfo.com/filetypes/common) on the user PC. An encrypted file looks like the following example:

  • New Text [email protected]

The files are encrypted with a randomly generated numerical number after which the [email protected] address. After encrypting the user’s data, this particular ransomware also uses a ransom message which points out the PayCrypt e-mail address. The ransom message may be the following:

paycrypt-ransomware-sensorstechforum

Some users who contacted ransomware such as this one have reported establishing contact with the cyber-criminals and even lower down the ransom money. However, we at SensorsTechForum strongly advise against paying any ransom money at all for several different reasons:

  • You fund the cyber-criminals to improve their malware and spread it even more.
  • There is no guarantee you will get your files decrypted by them.

The bottom line for this crypto-malware is that it is most likely sold as a service. This is known as RaaS (Ransomware as a Service) and is very widespread on the deep web markets. Some users have even reported that such malware is being sold in the range 500 to 1000 USD. Just like any other software you may encounter, it may contain instructions on how to be used and ability to set the extension, encryption algorithm (RSA, AES, DH, etc.) and not only this, but the ransomware may also let the user customize the amount of money they will demand.

Remove PayCrypt Ransomware and Restore the Encrypted Files

To remove this crypto-malware, users are strongly advised to follow the step-by-step removal instructions below. They should ensure that you effectively detect and remove the files and other objects like registry entries that are associated with this malware.

After removing the malware, all that is left is for you to get back what is yours – the files. To do this, we have suggested several removal methods in step “4. Restore Files Encrypted by PayCrypt” below. One of those methods is Kaspersky’s Rakhni decryptor which has been reported to work with other [email protected] ransomware variants such as the [email protected] one. But you should know that the decryption process may take some time, and this is why we recommend setting your computer to stay awake and not hibernate automatically (laptops).

Here is an instruction video on how to remove the malware and try and decrypt your data:

(Viable)Remove “@” Ramsomware and Decrypt Your Files Instruction Video

1. Boot Your PC In Safe Mode to isolate and remove PayCrypt
2. Remove PayCrypt with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by PayCrypt in the future
4. Restore files encrypted by PayCrypt
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the PayCrypt threat: Manual removal of PayCrypt requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.