PadCrypt is a new ransomware based on the old version of CryptoWall malware. What differs PadCrypt from others representatives of its genre is built-in feature – live chat “support”, which allows the victim to contact the attackers and also the unistl.exe, which, as the name implies, is an uninstaller.
Experts believe that the main distribution channel of PadCrypt – malicious files .pdf that cyber criminals send out in spam emails. Once the victim opens the file, PadCrypt comes into play and encrypts all user files and deletes backups, so the victim will be not able to restore the data by using HDD Recovery Program. Ransomware leave text and HTML messages with demands in all affected directories and displays a pop-up window. Cyber criminals require a ransom in amount of 0,8 BTC (about $320 at current exchange rate).
The difference between PadCrypt and other ransomware is that the pop-up window that provides user with the instructions and ransom details contains a reference to a “Live Chat”. Clicking this link will actually lead to the opening of the window with chat “support”, which, obviously, should allow victims to talk directly with cyber criminals. Yet we couldn’t see how it exactly works, because the command server of the cyber criminals is not yet operational.
We have already met versions of CryptoWall with similar “live support”, but then the chat was based on websites that victims should have been visiting to transfer the ransom. PadCrypt offers a built-in chat running on the victim’s machine. It doesn’t require launching a browser or installing TOR. Another oddity found in PadCrypt – unistl.exe, which is distributed together with ransomware and it is clearly an uninstaller. In fact, the removal of the program even works. Of course it will not decrypt the files before removing the malware. However, unistl.exe will completely remove PadCrypt ransomware from the system. We believe that the developers of PadCrypt ransomware used to created it a ready-made template, and the uninstaller has been generated automatically. Currently there is no weakness found in the PadCrypt encryption algorithm and there are not utilities to decrypt data yet.
To restore your personal files, you have two options. First of all, you can always restore your data from a backup, which should be done only after complete removal of PadCrypt ransomware and other malware. The second option is to use native Windows utility called System Restore. Note that you have to make sure that there is no malware on your computer before trying to restore your data, otherwise it will be encrypted once again. Therefore, follow our comprehensive malware removal guide written below or simply use our automatic removal tool. It will scan your computer for threats and clean them all quickly and easily. With user-friendly interface, you don’t need to have some advanced computer knowledge to use this tool.
Symptoms of PadCrypt infection on your computer can be: computer crashes, unusual homepage or search engine on your browser, unwanted pop-up ads and advertising banners. We recommend to download our automatic removal tool. This removal tool has been tested for PadCrypt threat removal and it is easy to use.
Thank you so much! PadCrypt was basically breaking my browser that I use for 90% of my work. You are a lifesaver! – Barbara Adler
YES! Finally made it! I’ve managed to delete the PadCrypt from Mozilla’s add-ons and everything is back to normal now. Thank you for guiding me – Sabine Koch
Thank you again, this is the second time that PadCrypt has sneaked into my system – John Yakob
I never thought that removing PadCrypt would be that easy – Judith Folsom