Paysafe Generator 2016 is the name for a cryptovirus that pretends to be a key generator for Paysafe card codes and make you money. In fact, it is ransomware and the irony is that its developers demand payment in Paysafe. The encrypted files have the extension .cry_ placed just between the dot and the name of the original extension. It claims to use the 256-bit AES encryption algorithm, and its ransom note is written in German.
To see how to remove the ransomware and how you can try restoring your files, read the article.
|Short Description||The ransomware pretends to be a Paysafe keycode generator, but instead is ransomware. It will encrypt your files and then display a ransom note with instructions for payment in the German language.|
|Symptoms||All encrypted files will get the interfix .cry_ placed in their extensions.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Paysafe Generator |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Paysafe Generator.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Paysafe Generator Virus – Distribution
The Paysafe Generator ransomware could get inside your personal computer in a couple of ways. The payload file could be spread through spam emails. In most cases, these spam emails have an attached file and are written in a way to make you believe that their contents are important. If you open the attachment, it will release a malicious script and infect your computer machine. You can check the detections of one such file on the VirusTotal website from here:
The Paysafe Generator virus could infect your computer by distributing its payload file on social media and file-sharing services. Also, it can be advertised as a program that generates Paysafe codes as seen in the picture. Refrain from opening files that come from suspicious emails, links or unknown sources. Before opening, you should first do a scan with a security application and check the files, including their size and signatures. You should read the tips for preventing ransomware from the thread in the forum.
Paysafe Generator Virus – In Depth
The Paysafe Generator 2016 is a virus discovered by the malware researcher Jakub Kroustek from Avast. The virus pretends to be a generator tool for Paysafe codes. Instead, you will get your files encrypted and will get .cry_ in the name of their extensions.
When the Paysafe Generator ransomware executes its payload, it could create entries in the Windows Registry. That can make the ransomware harder to remove, and it could spread more of its files in different locations on your personal computer. The registry entries could also make the cryptovirus launch automatically with every boot of the Windows operating system.
You can see a screenshot of the ransom message down here:
The ransom note is written in the German language. It reads the following:
ALLE wichtigen Dateien und/oder Programme auf ihrem Computer
wurden mit AES-256 verschlüsselt. Das bedeutet Sie
können ihre Dateien und Programme erst wieder
verwenden wenn Sie sich einen 128-Stelligen
Entschlüsslungscode für 100€ kaufen. Nachdem sich dieses
Fenster geschlossen hat, finden Sie auf ihrem Desktop
eine Datei mit dem Namen “Kaufen” oder “Kaufen.exe”.
Geben Sie dort einen gültigen 100€-Paysafecardcode und
ihre Email ein. Paysafecardcodes finded Sie in fast jeder
Tankstelle und/oder Supermärkten. Nach der Verifizierung
des Codes durch uns bekommen Sie per Email den
Entschlüsslungscode zusammen mit weiteren
Instruktionen, um ihre Dateien zu entschlüsseln.
FALLS INNERHALB DER NÄCHSTEN 72 STUNDEN KEINE
ZAHLUNG ERFOLGT WERDEN ALLE DATEN GELÖSCHT.
Drücken Sie jetzt ENTER um auf
Ihren Desktop zurückzukehren.
A rough English translation of the note is shown below:
ALL important files and / or programs on your computer
were encrypted with AES-256. That means you
can restore the files and programs only when you buy
a 128-digit decryption code for 100 €. After this
window closes, you will find on your desktop
a file named “Buy” or “Buy.exe”.
Enter a valid 100 € -Paysafecard and your email.
You can find Paysafecard codes in almost every
gas station and / or supermarkets. After the verification
of the code, you will be sent by email
decryption code along with other
instructions to decrypt your files.
IF IN THE NEXT 72 HOURS NO
PAYMENT, ALL DATA WILL BE DELETED.
Press ENTER to enter
Ironically, you are asked to buy a Paysafe code and pay 100 euros to the cybercriminals. The ransom note threatens to delete all of your files if you don’t pay the crooks in the next 72 hours. However, you should NOT think of paying as that will just support the extortionists. Nobody can give you a guarantee that paying will recover your files to their previous state. Furthermore, the criminals will probably use the money to create new ransomware.
On the following picture, you can see the Buy.exe file loaded, which has empty fields for where you can put the Paysafe code and your email to receive a code for decryption:
The above image is displayed for informative purposes, only.
The Paysafe Generator ransomware will encrypt files and place .cry_ as the beginning of every file extension of encrypted files. The following list is confirmed to contain file extensions which the virus seeks to encrypt:
→.doc, .docx, .jpg, .mp3, .pdf, .png, .txt, .xls, .xlsx
Surely, more file types such as documents, picture and music are being encrypted, too. The Paysafe Generator virus is very likely to delete the Shadow Volume Copies from the Windows operating system by using the following command:
→vssadmin.exe delete shadows /all /Quiet
Continue reading to see what kind of methods you can try for restoring some of your files.
Remove Paysafe Generator and Restore .cry_ Files
If your computer got infected with the Paysafe Generator ransomware, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Paysafe Generator.