PadCrypt Ransomware

PadCrypt Ransomware Description

The PadCrypt Ransomware is a ransomware Trojan that has a new 'feature': the PadCrypt Ransomware allows its victims to receive live 'support' via a chat window. Ransomware infections have become gradually more sophisticated over the years. Considering the large amounts of money that are generated from infections like the PadCrypt Ransomware, it is not surprising that con artists are starting to include more advanced features into their threats that allow them to increase the potential revenue from ransom payments. The PadCrypt Ransomware and its various variants not only provide a live support chat window; they also include an uninstaller feature!

The PadCrypt Ransomware may be a Descendant of the CrytoWall Family

PC security analysts believe that the PadCrypt Ransomware was created by building on the code of an older threat from the well known CryptoWall family of ransomware Trojans. The PadCrypt Ransomware may spread using corrupted PDF email attachments, although it is still unclear exactly what email message tactics have been associated with the PadCrypt Ransomware. Corrupted email messages associated with the PadCrypt Ransomware may include an executable file that has been zipped and disguised to look like a PDF file. Once the compromised 'PDF' file is opened, the PadCrypt Ransomware infects the victim's computer, encrypting files on the infected hard drive, deleting Shadow Volume copies of encrypted files, and blocking any potential system restore or recovery options from functioning. Once the PadCrypt Ransomware has completed its attacks, the victim can only restore the files from a backup stored in an external location, or pay the ransom amount that the PadCrypt Ransomware demands.

The PadCrypt Ransomware Allows Victims to Chat with Its Operators

The PadCrypt Ransomware will demand the ransom by dropping image, text, and HTML files on the directories where the PadCrypt Ransomware has encrypted files. The PadCrypt Ransomware also will display pop-up windows containing the ransom message, which requests the payment of 0.8 Bitcoin (averaging about $350, depending on the current Bitcoin exchange, which can fluctuate substantially). The PadCrypt Ransomware pop-up window has caught the attention of PC security researchers because the PadCrypt Ransomware includes a link that is marked 'Live Chat.' When computer users click on this link, a live support chat window opens, which allows victims to contact the operators of the PadCrypt Ransomware. However, since the PadCrypt Ransomware Command and Control server is not currently operational, this feature does not seem to work.

The PadCrypt Ransomware's Bizarre Features

Some versions of the PadCrypt Ransomware's predecessor, Cryptowall, also included live support. However, Cryptowall's support was included in the website where its ransom was paid. In the case of the PadCrypt Ransomware, the support works directly from the victim's computer, not requiring the installation of TOR or the victim's Web browser. Another bizarre feature associated with the PadCrypt Ransomware is that it includes an uninstall feature. This uninstaller, a file named Unistl.exe, does not do anything to decrypt the affected data. However, it does uninstall the PadCrypt Ransomware infection. Although it seems counter-intuitive to include an uninstaller to a threat infection, ransomware like the PadCrypt Ransomware encrypts the victim's files and does not need to stay installed. The most probable reason for the PadCrypt Ransomware's uninstaller and live chat feature is that the con artists may have used templates and recycled code to create the PadCrypt Ransomware, which may have generated these features automatically.

Counteracting the PadCrypt Ransomware

Malware researchers advise against paying the PadCrypt Ransomware's ransom amount. There is no guarantee that the con artists will deliver the decryption key, and paying the ransom only serves to facilitate the production of additional ransomware infections. Instead, it is important to establish a culture of backing up all important data regularly. Once the backup of all files becomes a regular thing among computer users, ransomware like the PadCrypt Ransomware will merely be an annoyance and become completely ineffective.

Technical Information

File System Details

PadCrypt Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 %APPDATA%\PadCrypt\package.exe 1,406,976 17822a81505e56b8b695b537a42a7583 1
2 3c9fbf881eb73ed3194c65e046857349ccdf2297e8b6770ecc4ab16825a695de.exe 784,896 7ed0c7cd88bf661ecef8abec2ff310aa 0
3 638c5b7c25adc51eed147d44bf834c2965b54c1c09e9d21efb77bfd2e8870c3c.exe 27,649 267757370ff7542c4900dc3f6069f7f6 0
4 6f3178ad996db2c9c16a58e695b2273e953ac0b96d0cc8caa23d06b01a8e35a5.exe 789,504 681e7ad03c4f41d110d32d175cc14bab 0
5 730e78721dcb792f9343d6b632a22b6874e5945b204fbc4b04d75e544ed2bdf0.exe 797,696 9dbeff5ac47058fb8fe61c3948cc26ca 0
6 b4f886df55015695eaafe3da712b431b75493623c53200f642ced5d7f89f2fdd.exe 784,896 84aa7c891cd5ae136117317f451819c0 0
7 file.exe 492,032 841453bdff5905f17c0074a65b263893 0
More files

Registry Details

PadCrypt Ransomware creates the following registry entry or registry entries:
Directory
%APPDATA%\PadCrypt

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.