BTCWare-PayDay Ransomware Removal Guide

Do you know what BTCWare-PayDay Ransomware is?

When you learn that BTCWare-PayDay Ransomware has attacked your computer, it is the moment when you may lose all your important files in one go. This malicious program is probably the kind that you will never forget that it was once an "uninvited guest" on your computer. Our researchers assume that this ransomware infection might be a new variant of the infamous BTCWare Ransomware that emerged about a good half a year ago. Obviously, your attackers do offer you a way out of this nightmarish situation in the form of a ransom fee; however, why or how could you trust such crooks with your money? On the other hand, you would simply support cybercrime by transferring these cyber criminals any amount of money. Also, please note that contacting such criminals may end badly for you since they may send further infections to extort more money from you. One of the easiest ways to avoid the nightmare of losing your important files is to keep a regular backup on a portable drive or in cloud storage. But before you rush to copy your clean files back after this attack, we recommend that first, you remove BTCWare-PayDay Ransomware from your computer.

When this horror hits you, it is important to know that beforehand you may have opened a spam e-mail and viewed the attached file. This is how most victims probably get infected with this dangerous ransomware program. This spam can appear to be very convincing and important as well. No wonder why so many people fall prey to it. In fact, even if you consider yourself an experienced computer user, you might believe that this is something you need to open and check out. This is due to its choice of subject and sometimes the sender itself. For example, this spam may pretend to come from the local authorities claiming that you are overdue with a fine of some sort (parking or speeding). Most likely you would like to see proof of this and that is how you may open this mail and click to view the attached file that is supposed to be a photo or text document of your fine or an invoice that you allegedly have not settled yet. The worst is not even opening this mail but saving and viewing the attached file. This attachment is indeed a malicious executable file in disguise. So when you run it on your computer, you actually infect it with this dangerous threat. This is why it is not possible to delete BTCWare-PayDay Ransomware without the severe consequence of possibly losing your files.BTCWare-PayDay Ransomware Removal GuideBTCWare-PayDay Ransomware screenshot
Scroll down for full removal instructions

Another way for you to infect your computer with this ransomware might be via Exploit Kits. You may get redirected to a malicious website quite easily because all you need to do is click on a shady third-party ad or a corrupted link on a suspicious website. Such a website is usually associated with files sharing, online betting, and gaming. But you can also be introduced to unsafe third-party content if your PC is infected with adware programs or browser hijackers. You should know that landing on a page operated by cyber criminals using Exploit Kits means that you do not even need to engage with any content to drop such a ransomware infection since it happens the moment this page loads. In order to avoid such malicious attacks you need to keep all your browsers and Java and Flash drivers updated. And, of course, you should also stay away from suspicious websites and clicking on third-party ads for better safety not to end up having to remove BTCWare-PayDay Ransomware or any other threat.

Unfortunately, once this beast gets loose on your system, it encrypts all your photos, audios, videos, documents, archives, and databases as well. This means that you could lose all your important files in one go, in a matter of minutes. This malware infection does not give you time to react; you cannot stop it even if you were to notice that something is off. The affected files will have a characteristic new extension: ".[]-id-140.payday"; however, we have also found that the e-mail used by these crooks can be different just like the ID as well. If you find other extensions like ".[]-id-0.payday" or ".[]-id-0.payday," you should know that these are actually the same infection. This ransomware should drop a ransom note text file named "!! RETURN FILES !!.txt" that contains a very short message indeed simply telling you to contact these criminals via e-mail if you want your files back. We have found that this file may not even be dropped in the case of certain variants. The main ransom note file is called "payday.hta" and it is created in your "%APPDATA%\" folder.

This ransom note tells you that your files have been taken hostage and you have to pay a fee in Bitcoins to get the decryption tool, which is the only tool that can decrypt your files with success. You can find information about how to buy Bitcoins on this ransom note page as well as warnings not to change encrypted file names and not to decrypt your files using third-party tools. As a proof, you can send these crooks 3 files to be decrypted for free but these have to be unimportant and very small files. For further details, you have to send an e-mail to "" or to whatever address your sample may contain. We do not think that it is a good idea to deal with cyber criminals, let alone send them money. Since there is no guarantee that you will get the decryption tool, we suggest that you delete BTCWare-PayDay Ransomware immediately.

If you are ready to act, you can use our instructions below this article to eliminate this ugly threat. If you do not think you can do this on your own, you may want to consider the use of a reliable malware removal program, such as SpyHunter. Such a security program can protect your PC from all kinds of potential threats and malware infections automatically. Having such safety could be a new beginning for you in your virtual world. But remember to keep all your programs up-to-date even when safeguarded by a security tool.

Remove BTCWare-PayDay Ransomware from Windows

  1. Tap Win+E.
  2. Locate and Delete "%APPDATA%\payday.hta" and "!! RETURN FILES !!.txt" (any instances you can find).
  3. Empty your Recycle Bin.
  4. Tap Win+R and enter regedit. Hit Enter.
  5. Delete the following registry value names:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | payday | "C:\Users\user\AppData\Roaming\payday.hta"
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | baby | "C:\Users\user\AppData\Roaming\payday.hta"
  6. Exit your editor and restart your PC.

In non-techie terms:

BTCWare-PayDay Ransomware is the name of a new dangerous threat that can cause a bit of a shock when it appears on your system because it can encrypt all your important files and render them useless unless you are willing to pay the demanded ransom fee. Unfortunately, there is never any guarantee that you will really receive the promised decryption tool. It is more likely to get further infections from such crooks than anything else. In order for you to find this severe threat on your computer, you need to open a spam e-mail and view its attachment, which is the most likely way but may not be the only one to get infected by. It is highly recommended that you keep all your browsers and drivers up-to-date to avoid malicious attacks via Exploit Kits, which can also drop such an infection without your knowledge. Hopefully, you have a backup of your files, which you can use to restore your files after you remove BTCWare-PayDay Ransomware from your PC. If you want to improve your system protection, it may be time for you to invest into a professional anti-malware application.