Payransom Ransomware Removal Guide

A new variant of Invisible Empire Ransomware, Jigsaw Ransomware, and CryptoHitman Ransomware called Payransom Ransomware has recently appeared online. It features the most uninspired name to be used for a ransomware-type application to date. Regardless, you should remove this infection if your computer has been infected with it. It must be said, however, that this malware is set to encrypt your files and demand a ransom for the decryption key. We want to inform you that if you remove this ransomware, then you will not be able to decrypt your files. However, there is a decryption tool for Jigsaw Ransomware that just might work for Payransom Ransomware. Please read this description to learn more.

Like the ransomware that came before it, Payransom Ransomware it disseminated using email spam disguised as business-related correspondence and invoices that may appear as legitimate. The ransomware is hidden in a file attachment that contains an executable disguised as a PDF file which drops its payload onto your computer when you open it. If you do not have an anti-malware application, then this process cannot be stopped, and you will not notice the actions taking place in your system’s background. Once this ransomware has rooted itself in your system, it will start doing its dirty work.

Like its counterparts, it will spring into action immediately and scan your computer for files to encrypt. This ransomware can encrypt file formats that include, but are not limited to 3dm, .3g2, .3gp, .mp4, .mpa, .mpeg, docx, .dot, .dotm, .dotx, and so on. In short, it can encrypt almost all files that are bound to contain valuable information. However, it will not encrypt file formats that are used to make the Windows operating system work because the cyber crooks want you to use the same PC to pay the ransom. The cyber crooks may give you the decryption key once you have paid, but you should not count on them delivering on their promise because they are cyber criminals after all.

They ask you to pay a ransom of $150 USD that you have to pay in Bitcoins so that the authorities would not be able to trace the transaction. The amount they ask in Bitcoins is 0.4 BTC. However, if you fail to pay within 24 of the infection, then the ransom will increase twofold to $300 USD and after 48 hours to $450 USD. As if that was not enough, this ransomware will start deleting more and more files each hour. If you restart the PC, then the infection will delete files as well. So they use scare tactics to compel you to pay the ransom. However, the question is: are the files worth that kind of money? You can try paying the ransom, but there is no guarantee that you will get the decryption key. Payransom Ransomware uses the AES symmetric block cipher to encrypt your files. It is a strong encryption method that is next to impossible to crack without having the private decryption key. However, malware researchers have managed to crack the encryption of Jigsaw Ransomware. Therefore, since this infection is very similar to Jigsaw, you might be able to decrypt your files after getting it online from https://download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip. However, this decryption tool is no guaranteed to work.

If the decryption is unsuccessful, then you might want to delete this ransomware so that it would not encrypt any new files. This ransomware is set to create a registry key at HKCU\Software\Microsoft\Windows\CurrentVersion\Run that autostarts this ransomware on system boot up. It should contain a string named mogfh.exe or wrkms.exe (may be random.) Furthermore, its payload is dropped in %APPDATA%. This folder should contain the executable mogfh.exe or wrkms.exe. Also, it drops files in %LOCALAPPDATA%\Suerdf or %LOCALAPPDATA%\Systmd that contain executables named suerdf.exe or systmd.exe respectively.

Payransom Ransomware is a dangerous infection that has been developed by cyber crooks to enter your computer silently and encrypt your personal files so that you could extort money from you. You can try paying the ransom, but you might not receive the promised decryption key. Therefore, we suggest using the decryption tool developed for Jigsaw Ransomware as Payransom Ransomware is similar to it. Also, you can remove this infection manually using our guide or with an antimalware program such as SpyHunter. In any case, you should invest in a program that would keep your computer secure from malware.

Terminate this ransomware’s processes

1. Press Ctrl+Shift+Esc to open Task Manager.
2. Select Processes.
3. Locate mogfh.exe or wrkms.exe.
4. Right-click on them and click End Process.
5. Close Task Manager.

How to remove this ransomware manually

1. Press Windows+E keys.
2. Enter %LOCALAPPDATA% in the address box.
3. Locate and delete suerdf.exe or systmd.exe (name may vary)
4. Enter %APPDATA%
5. Locate and delete mogfh.exe or wrkms.exe (name may vary)
6. Then, go to and delete %APPDATA%\System32Work
7. Close the window and press Windows+R keys.
8. Enter regedit in the box and click OK.
9. Once in the Registry Editor, locate HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
10. Right-click on mogfh.exe or wrkms.exe (may be a random name) and click Delete.