Threat Database Ransomware PayDOS Ransomware

PayDOS Ransomware

By GoldSparrow in Ransomware

The PayDOS Ransomware carries out an attack that is rooted in older techniques to distribute threats. The PayDOS Ransomware and Serpent, both threats released recently, are using very old methods to carry out their attacks. One of the main aspects of the PayDOS Ransomware that drew the attention of PC security analysts is its use of batch files to carry out its attack. This makes the PayDOS Ransomware one of the oddest variants of ransomware active currently. The PayDOS Ransomware runs within the Windows Command Prompt, carrying out a ransomware attack on the victim's computer.

The PayDOS Ransomware Has a Variant Named Serpent

There are two variants of this batch file ransomware attack that are under development currently. The PayDOS Ransomware is the first, with the second receiving the name 'serpent.' Both carry out the same basic attack, demanding a ransom payment from the victim. However, the PayDOS Ransomware is considerably weaker than established ransomware Trojans. Rather than encrypting the victim's files before demanding the payment of the ransom, the PayDOS Ransomware simply renames the files while keeping their data intact.

How the PayDOS Ransomware Works

The PayDOS Ransomware uses a batch file that is converted into an executable on the victim's computer. When the executable file runs, it extracts the batch file into the victim's %Temp% directory and then executes it. This batch file is designed to scan particular folders on the victim's computer in search for files with specific file extensions. The PayDOS Ransomware renames the files so that one letter in the file extension is changed. The files are not encrypted; the file extensions will simply be altered (causing Windows to fail when reading the files). For example, a file with a '.pdf' extension may be renamed so that its extension is '.ddf.' The PayDOS Ransomware displays its ransom note, asking for a password to 'decrypt the files.' The PayDOS Ransomware uses a password that is coded into the PayDOS Ransomware attack. The password, AES1014DW256, will rename all the files to their original extensions, undoing the effects of the PayDOS Ransomware attack. Victims of the PayDOS Ransomware attack can simply rename the files manually, and they will open as normal once again.

Some Details About the PayDOS Ransomware Attack

It is clear that the PayDOS Ransomware is still under development since it does not provide a method for contacting the con artists or paying the ransom. The next version of the PayDOS Ransomware that was detected, named the Serpent Ransomware, does start to include a payment method, though the email address, is a non-functioning email address that is clearly a placeholder while the PayDOS Ransomware and its variant continue to be developed. In the Serpent variant of the PayDOS Ransomware, the password that is hard-coded is RSA1014DJW2048.

Should Computer Users be on the Lookout for the PayDOS Ransomware Attacks?

Every day, new ransomware variants are released, although many clearly incomplete. Many of these variants are never completed or distributed. It is very unlikely that an encryption ransomware Trojan capable of compromising the victims' files will be released. Batch files simply do not have the functionality that is necessary to carry out more powerful attacks that are used in these attacks. The use of batch files hearkens back to times past, this being a method that was used in the earliest forms of threats.

Protecting Your Computer from the PayDOS Ransomware

The PayDOS Ransomware is a little more than a nuisance, and it is simple to recover from the attack. However, computer users can intercept it with the use of a reliable security program that is fully up-to-date. Since the most common method for distributing the PayDOS Ransomware would be through corrupted spam emails or embedded links, computer users also can prevent PayDOS Ransomware infections by learning to handle emails and email attachments with caution.


Most Viewed