Remove Payms Ransomware (Jigsaw Variant) and Restore .payms Files - How to, Technology and PC Security Forum |

Remove Payms Ransomware (Jigsaw Variant) and Restore .payms Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


The Jigsaw ransomware makes its appearance yet again. This time, it is called Payms. The crypto-virus encrypts more than 120 file extensions like previous variants, adding a .payms extension or a variation of it. Unfortunately, the Jigsaw ransomware is sold on the Dark Web for less money than what is asked for a ransom payment per victim. To know how to restore your files and remove this ransomware, variant you should read the article carefully.

Threat Summary

NamePayms Ransomware
Short DescriptionThe ransomware encrypts files by adding a .payms extension and asks a ransom for decryption.
SymptomsFiles with more than 120 various extensions are encrypted. Every hour files get erased if the ransom is not paid.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Payms Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Payms Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Payms Ransomware – Distribution

Payms ransomware can distribute via a couple of ways. Your computer could get infected with the crypto-virus through spam e-mails which have an attachment with malicious code inside them. If the attachment is opened, malware might be injected inside your computer system. The file possibly has a name such as firefox.exe or something similar, so to try and trick you.

Past variants of the presently named Payms ransomware were delivered through social media sites and some file-share system, too. DropBox could still be a way of distribution as the original variant of the ransomware used that as well. Avoiding all suspicious files, links, and websites is a highly recommended action as there you might find malware such as this one.

Payms Ransomware – Technical Description

The Payms crypto-virus is classified as ransomware. All of your files will be encrypted and become unusable. The malware demands BitCoins as the payment method for the ransom. If you do not meet certain criteria, your files will get deleted on an hourly basis, and the ransom price will increase. No real theme is used for this ransomware (as past variants used themes), but just plain text.

In the directories %AppData% and %LocalAppData% files may be created to assist the ransomware with its operations.

The Windows Registry may undergo modifications as well. The following registry value is added respectively:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random name].exe %UserProfile%\AppData\Roaming\[directory to that exe]

The registry value set in the Registry will automatically load a specific executable, related to the ransomware. Every start of the Windows Operating System will load the file which executes the Payms ransomware.

The next action of the ransomware will be to show a lock screen which is solely text with payment instructions.

Here is how the lock screen looks like:


The ransomware demands a payment of 150 US dollars, within the first 24 hours, paid in BitCoins. If you do not pay, the ransomware will delete some of your files with each hour that passes and the ransom price will increase to 225 US dollars. There is no information about the sum getting bigger after that.

The message which is shown with the lock screen is:

Your files are encrypted you must pay $150 USD ($225 USD after 24 hrs) in Bitcoins to unlock them. Send Bitcoins to the address specified. If you need help, you can talk to us via the chat page. There is a file on your desktop named Payment_Instructions with the same information.
Sus archivos estan encriptados tiene que pagar $ 150 USD ($ 225 USD despues de 24 horas) en Bitcoins para desbloquearlos. Envia los Bitcoins a la direccion indicada. Si necesita ayuda puede hablar con nosotros a traves de la pagina de chat. Hay un archivo en el escritorio llamado Payment_Instructions con la misma informacion.
Visit the chat / Visita el chat: http://783629.6te(.)net
1. Go to www.LocalBitcoins(.)com, Register and purchase Bitcoins.
2. Copy the Bitcoins address on the left and send the coins to that address from your localbitcoins profile.
3. Click below that you paid.
4. Our system will recognize the payment and unblock all your files instantly and delete itself.
1. Ir a www.LocalBitcoins(.)com, registrar y comprar bitcoins.
2. Copie la direccion de Bitcoins en la izquierda y enviar las monedas a esa direccion desde su perfil en localbitcoins.
3. Haga clic que ha pagado.
4. Nuestro sistema reconocera el pago, desbloqueara todos los archivos al instante y se borrara el mismo.

If you go to the chat page (currently redirecting to other pages) you will see part of the payment instructions there as well:


Paying the ransom asked by the Payms ransomware is highly unadvised. You cannot receive any guarantee from anyone that you will get your files back and that they will work properly as before. Giving money to the cyber criminals will support them to make other crimes or improve the ransomware. Be aware, that at the end of the article you can find restoration methods described. A decryptor is also present thanks to the malware researcher Michael Gillespie.

The Payms ransomware searches for files to encrypt them on all kinds of storage devices – HDDs, SSDs, internal and external. This variant will also search for files with more than 120 extensions. The file list is the following:

→ .3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java

The AES algorithm keeps being the one used for the encryption process of this variant of the Jigsaw ransomware. The ransomware sets .payms as the extension of all encrypted files. The .paymst and .pays extensions could be used for encryption in other versions. If you restart your PC, there is a chance that you can lose about 1,000 of your encrypted files.

The core of the ransomware is still the same. Thus the solution to restore your files is still available. In case you have restarted your computer after being infected and lost some of your files – don’t worry. Data Recovery software can aid you to recover some of the files.

Remove Payms Ransomware and Restore .payms, .pays, .paymst Files

If Payms ransomware infected your system, do not be worried, because a solution is available to decrypt your files for free. If you got infected by this ransomware, you should have a little experience in removing viruses. Check the instructions written down below to see how you can recover your files.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share