Remove PaySafeCard Ransomware and Restore .rnsmwre Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove PaySafeCard Ransomware and Restore .rnsmwre Files

This article will aid you by showing how to remove the PaySafeCard file encryption ransomware and how to restore .rnsmwre files.

The beginning of June 2017 has marked the emerging of multiple new ransomware viruses. One of those is the .rnsmware file extension virus, also known as the PaySafeCard ransomware. It’s primary goal is to make sure that you can no longer open your files by locking (encrypting) them right on your PC. This is because PaySafeCard ransomware wants you to pay $20 in order to get the encrypted files restored back to their original state. If your computer has been infected by the .rnsmwre file virus, we recommend that you read the post below.

Threat Summary

Name.rnsmwre Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and get you to pay $20 to get them back.
SymptomsA ransom note dropped on your computer, named @decrypt_your_files.txt. Files are appended the .rnsmwre file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .rnsmwre Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .rnsmwre Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does PaySafeCard Virus Infect

In order to infect computers successfully, the virus has to trick the victim into opening a malicious object. Such objects could be:

  • Malicious Microsoft Word documents with macros.
  • Web links that redirect to the download page of the file.
  • Malicious JavaScript files that cause the infection.
  • Malicious .vbs files.
  • Executable files.

To conceal the nature of the malicious file, the people who spread PaySafeCard ransomware may archive the virus file to conceal it further from virus scanners.

These files or web link objects may be spread via different methods:

  • Spammed e-mail messages that aim to convince that the files are legitimate documents.
  • Messages on social media websites.
  • By uploading them on websites as fake programs.
  • Via third-party malware that has previously infected your computer.

.rnsmwre File Virus – Further Information

As soon as infection by this virus takes place, it connects to duetro-proxy(dot)lima-city(dot)de with the IP address 91.216.248.20:80. From there, this ransomware may relay information that may contain:

  • Your IP address.
  • Your Windows operating system version.
  • Other system information.

Furthermore, the malicious files of the PaySafeCard .rnsmwre are dropped on the infected computer. The main malicious file is named rnsmwre.exe, but there may be multiple different support files in addition to it. They may reside in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%

After the files are dropped. The PaySafeCard ransomware, also drops a ransom note (@decrypt_your_files.txt), in which it demands the payoff to be made via the PaySafeCard service, which is written wrong in the note:

“Your files are encrypted!
There is only one way to get them back:
You need to send me a 20 USD PaySaveCard-Code {Write it into the Console Window!}”

Among other activities of this ransomware virus may include the usage of different malicious functions to delete the shadow volume copies on the infected computer. This is usually achieved via the vssadmin and bcedit commands in Windows command prompt. But to insert them, the PaySafeCard first has to obtain administrative privileges. The commands are as follows:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

But PaySafeCard ransomware does not stop there. The ransomware may also add Windows registry values in the Registry Editor. The targeted keys may be the Run and RunOnce sub-keys in which, value strings may be added to run the rnsmwre.exe automatically in Windows boot:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

The Encryption of .rnsmware File Virus

For the encryption process, this ransomware infection uses a custom encryption mode and the AES encryption algorithm. This cipher replaces data from the original files with data from the encrypted files. It has the primary purpose of rendering the files no longer openable. The PaySafeCard virus may target different file types for encryption, among which could the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After encrypting the files on the infected computers by it, the virus appends the .rnsmwre file extension to them and they appear like the following:

Similar to other viruses, this virus uses the PaySafeCard service for payment instead of BitCoin or other cryptocurrency. Paying the ransom is not advisable.

Remove PaySafeCard Ransomware and Try Recovering Your Data

For the removal of this ransomware virus, we recommend you to follow the instructions underneath this article. They are designed to isolate the threat after which get rid of it. However, since PaySafeCard may interfere with system files of Windows, removing the virus may result in some components of Windows failing to work, which may be a risk. This is why, for a safe removal, security experts recommend deleting PaySafeCard ransomware automatically by using an advanced anti-malware program which is ransomware-specific.

After you have already removed the virus, it is time to think about how to restore your encrypted files. We have suggested several alternative methods for this in step “2. Restore files encrypted by .rnsmwre Virus” below. They are in no way 100% effective, but may help you recover at least some of your encrypted files.

Manually delete .rnsmwre Virus from your computer

Note! Substantial notification about the .rnsmwre Virus threat: Manual removal of .rnsmwre Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .rnsmwre Virus files and objects
2.Find malicious files created by .rnsmwre Virus on your PC

Automatically remove .rnsmwre Virus by downloading an advanced anti-malware program

1. Remove .rnsmwre Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .rnsmwre Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...