PadCrypt Ransomware Removal Guide

PadCrypt Ransomware is an infection that is usually launched using a malicious file that is downloaded onto the computer with the knowledge of its owner. Of course, cyber criminals will employ scams to trick computer users into downloading this malicious file. According to our research, this clandestine ransomware is most likely to be spread using fake PDF files in ZIP archives attached to spam emails. If you open this fake PDF file, the malicious ransomware will be launched, and malicious processes will be initiated. Using AES encryption, this devious infection will encrypt your personal files, including documents and photos. A decryption key will be created and sent to a remote server to keep it away from you. The problem is that you will decrypt your files only if you have the decryption key. Unfortunately, most users delete PadCrypt Ransomware without finding a way to decrypt their personal files.

While testing PadCrypt Ransomware in our internal lab, we found that this ransomware is very similar to CryptoLocker Virus. In fact, this new infection is an updated version of this infamous threat. PadCrypt 2.0 – which is another name this threat is known by – has a slightly different interface and a brand new feature, Live Chat. Just like the malicious CryptoLocker, this infection gives you a certain time span during which you need to act. It is suggested that the ransom fee would grow if you did not pay it within the given time, and there is a possibility that it would. Another similarity that that PadCrypt Ransomware shares with its predecessor is the payment method. Although this threat originally requests a payment in Bitcoins (0.8 BTC), users also have the option to transfer an adequate sum in USD using Paysafecard or Ukash systems. It is notable that these anonymous money transfer systems have been employed by many other ransomware threats before.

Once installed, this ransomware introduces all of its demands via a message that is likely to automatically appear on your screen. The same or similar demands are likely to be presented to you via a text file called “IMPORTANT READ ME.txt”. Here are a few excerpts.

Your files and documents have been encrypted!
[…] Your photos, documents, and videos on this computer have been encrypted with AES-256. To get your files back you will need to purchase your encryption key within the set date, failing to pay will result in destruction of your key.
[…] The key produced for your computer is stored on our server. To obtain the unique key for your computer, which will decrypt and recover your encrypted files, you will need to pay a fee in Bitcoin/Ukash/PSC prior to the key destroy date.

There is nothing special about this message, as it basically states the same things that can be associated with all ransomware infections. What calls more attention is the suspicious link to Live Chat, as this is the first ransomware to ever use it. The problem is that the servers linked to this ransomware are currently down, and this feature does not work. The C&C servers associated with PadCrypt Ransomware include annaflowersweb.com, subzone3.2fh.co, and cloudnet.online. Another strange feature associated with this ransomware is the uninstaller. The PadCrypt folder (might have a different name) in the %APPDATA% directory is likely to contain the decryptor and uninstall files. It is possible that the uninstaller will erase all components of the ransomware; however, you should not expect this to help with file decryption. Speaking of the encrypted files, all of them will have the “.enc” extension attached to them, and it will not be difficult for you to identify them. If you find that you have the files encrypted by this ransomware backed up, the only thing you need to do is remove PadCrypt Ransomware.

It will not be easy for you to make the final decision if your personal files are not backed up, and the only copies are encrypted by the malicious ransomware. The text file associated with this infection suggests that you can wait six months, after which all of your files will be decrypted for free. Are you willing to wait that long? Even if you are, it is naive to think that cyber criminals will be around to fulfill their promises. Paying the ransom is not exactly what we recommend as well because, when it comes to cyber criminals, there are no guarantees, and you might end up losing your money for nothing. Whether you have backups, or you pay the ransom, you must delete PadCrypt Ransomware. First, find and remove the fake PDF file that has unleashed the ransomware. Afterward, follow the steps presented below to eliminate the leftovers. We also recommend employing reliable anti-malware software to eliminate the leftovers and protect you in the future.

How to delete PadCrypt Ransomware

1. Tap Win+E to open the Explorer.
2. Type in %APPDATA% into the address bar at the top.
3. Right-click the file called “PadCrypt.exe” and select Delete.
4. Now Right-click and Delete the folder called “PadCrypt.”
5. Download a reliable malware scanner to scan your operating system.