Remove PaySafeCard Ransomware and Restore .rnsmwre Files - How to, Technology and PC Security Forum |

Remove PaySafeCard Ransomware and Restore .rnsmwre Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you by showing how to remove the PaySafeCard file encryption ransomware and how to restore .rnsmwre files.

The beginning of June 2017 has marked the emerging of multiple new ransomware viruses. One of those is the .rnsmware file extension virus, also known as the PaySafeCard ransomware. It’s primary goal is to make sure that you can no longer open your files by locking (encrypting) them right on your PC. This is because PaySafeCard ransomware wants you to pay $20 in order to get the encrypted files restored back to their original state. If your computer has been infected by the .rnsmwre file virus, we recommend that you read the post below.

Threat Summary

Name.rnsmwre Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on your computer and get you to pay $20 to get them back.
SymptomsA ransom note dropped on your computer, named @decrypt_your_files.txt. Files are appended the .rnsmwre file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .rnsmwre Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .rnsmwre Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does PaySafeCard Virus Infect

In order to infect computers successfully, the virus has to trick the victim into opening a malicious object. Such objects could be:

  • Malicious Microsoft Word documents with macros.
  • Web links that redirect to the download page of the file.
  • Malicious JavaScript files that cause the infection.
  • Malicious .vbs files.
  • Executable files.

To conceal the nature of the malicious file, the people who spread PaySafeCard ransomware may archive the virus file to conceal it further from virus scanners.

These files or web link objects may be spread via different methods:

  • Spammed e-mail messages that aim to convince that the files are legitimate documents.
  • Messages on social media websites.
  • By uploading them on websites as fake programs.
  • Via third-party malware that has previously infected your computer.

.rnsmwre File Virus – Further Information

As soon as infection by this virus takes place, it connects to duetro-proxy(dot)lima-city(dot)de with the IP address From there, this ransomware may relay information that may contain:

  • Your IP address.
  • Your Windows operating system version.
  • Other system information.

Furthermore, the malicious files of the PaySafeCard .rnsmwre are dropped on the infected computer. The main malicious file is named rnsmwre.exe, but there may be multiple different support files in addition to it. They may reside in the following Windows directories:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%

After the files are dropped. The PaySafeCard ransomware, also drops a ransom note (@decrypt_your_files.txt), in which it demands the payoff to be made via the PaySafeCard service, which is written wrong in the note:

“Your files are encrypted!
There is only one way to get them back:
You need to send me a 20 USD PaySaveCard-Code {Write it into the Console Window!}”

Among other activities of this ransomware virus may include the usage of different malicious functions to delete the shadow volume copies on the infected computer. This is usually achieved via the vssadmin and bcedit commands in Windows command prompt. But to insert them, the PaySafeCard first has to obtain administrative privileges. The commands are as follows:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

But PaySafeCard ransomware does not stop there. The ransomware may also add Windows registry values in the Registry Editor. The targeted keys may be the Run and RunOnce sub-keys in which, value strings may be added to run the rnsmwre.exe automatically in Windows boot:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The Encryption of .rnsmware File Virus

For the encryption process, this ransomware infection uses a custom encryption mode and the AES encryption algorithm. This cipher replaces data from the original files with data from the encrypted files. It has the primary purpose of rendering the files no longer openable. The PaySafeCard virus may target different file types for encryption, among which could the following:


After encrypting the files on the infected computers by it, the virus appends the .rnsmwre file extension to them and they appear like the following:

Similar to other viruses, this virus uses the PaySafeCard service for payment instead of BitCoin or other cryptocurrency. Paying the ransom is not advisable.

Remove PaySafeCard Ransomware and Try Recovering Your Data

For the removal of this ransomware virus, we recommend you to follow the instructions underneath this article. They are designed to isolate the threat after which get rid of it. However, since PaySafeCard may interfere with system files of Windows, removing the virus may result in some components of Windows failing to work, which may be a risk. This is why, for a safe removal, security experts recommend deleting PaySafeCard ransomware automatically by using an advanced anti-malware program which is ransomware-specific.

After you have already removed the virus, it is time to think about how to restore your encrypted files. We have suggested several alternative methods for this in step “2. Restore files encrypted by .rnsmwre Virus” below. They are in no way 100% effective, but may help you recover at least some of your encrypted files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share