Home / Spyware Help / PadCrypt Ransomware Removal Guide

PadCrypt Ransomware Removal Guide

by 0 Comments

Do you know what PadCrypt Ransomware is?

Our security analysts have recently tested PadCrypt Ransomware and were surprised by its built-in functions. Nevertheless, this is nothing for the average user to get excited about. We recommend that you remove this malware because it is set to encrypt your personal files and force you to pay a ransom fee for the decryption key that only its developers can provide. Hence, using free tools to try to decrypt your files will result in failure since it uses the AES encryption algorithm that is impossible to crack. Therefore, in this short decryption, we will tell you how this infection is distributed to avoid it, how it works, hot to get rid of it, and how to protect your computer against similar infections.

There is a consensus among many malware researchers that PadCrypt was distributed using email spam, and we are in agreement with that statement. The email contains a link to a zip archive that contains what appears to be a PDF file. However, that is not true. This PDF file is an executable file that was configured to download PadCrypt Ransomware from one of the developers’ commanded-and-control servers at cloudnet.online, annaflowersweb.com, subzone3.2fh.co. The good news is that these servers are currently down. Therefore, this ransomware is not being distributed. Nevertheless, those servers can go back online any day now and start wreaking havoc. So our advice is not to open suspicious emails, especially those that are relocated to the spam box. Another thing you should consider is to get an antimalware tool that could stop ransomware dead in its tracks.PadCrypt Ransomware Removal GuidePadCrypt Ransomware screenshot
Scroll down for full removal instructions

If there is nothing to prevent this infection from entering your computer, then the aforementioned PDF file will download two files to the %APPDATA%\PadCrypt directory. The files should be titled PadCrypt.exe and uninstl.exe. After the encryption process in complete, it should create a file called data.txt. Also, at some point, it will also create files titled IMPORTANT READ ME.txt, decrypted_files.dat, and File Decrypt Help.html. As you might have guessed, uninstl.exe is an actual uninstaller that should delete all of the aforementioned files, but that does not mean that it will decrypt your files.

PadCrypt is a unique infection because it has a feature that has not been seen since CryptoWall. It has a “support” function which allows its victims to chat with the cyber criminals, who got their computer infected in the first place, in real time. Many users struggle to pay the ransom since the criminals demand that it be paid in Bitcoins, so that appears to be the reasoning behind the “support” function. This ransomware’s greedy developers want you to pay 0.8 BTC (approximately €285 or $320) via Paysafecard or Ukash Voucher. However, given that this ransomware’s developers are considered cyber criminals, we have reason to believe that they will not give you the decryption key.

You may be obliged to pay the ransom, provided that this ransomware has encrypted files of huge importance. Note that this malware has been programmed to encrypt files in specific locations that include: C:\Users\{Login name}\Downloads, C:\Users\{Login name}\Documents, C:\Users\{Login name}\Pictures, and C:\Users\{Login name}. After encrypting files in those folders, this ransomware will begin encrypting files that are NOT in ProgramData, PerfLogs, Config.Msi, and $Recyle.Bin. After the encryption is complete, PadCrypt Ransomware will enumerate all of the files and remove Shadow Volume Copies (command: vssadmin delete shadows /for=z: /all /quiet) so that you could not recover the encrypted files without having to purchase the decryption key.

Nevertheless, we urge you not topey the ransom because you will not receive the decryption key, especially now when the commanded-and-control servers are offline. We do, however, recommend that you remove PadCrypt Ransomware manually using our guide or automatically using an antimalware application. Nevertheless, doing it manually requires some skill as you will not only have to launch your PC in Safe Mode with Networking and delete this ransomware’s files from its location, but also erase certain registry keys.

Boot up Windows in Safe Mode with Networking

Windows XP

  1. Open the Start menu and click Restart.
  2. Press and hold the F8 key while the computer restarts.
  3. On the Advanced Boot Options screen, highlight the Safe Mode with Networking using the arrow keys.
  4. Press Enter.
  5. Log on to your computer.

Windows 7 & Vista

  1. Open the Start menu and click Restart.
  2. Press and hold the F8 key as your computer restarts.
  3. On the Advanced Boot Options screen, highlight the Safe Mode with Networking using the arrow keys.
  4. Press Enter.
  5. Log on to your computer with administrator rights.

Windows 8 & 8.1

  1. Press Windows+C keys, and then click Settings.
  2. Click Power, hold down Shift on your keyboard and click Restart.
  3. Click Troubleshoot, click Advanced options, and select Startup Settings.
  4. Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.

Windows 10

  1. Click Start button, and then the Power button.
  2. Hold down the Shift key and click Restart.
  3. Select Troubleshoot.
  4. Then, go to Advanced options and select Startup Settings.
  5. Click Restart.
  6. The PC will reboot, and bring you to a Startup Settings screen.
  7. Use the arrow keys on your keyboard to select Enable Safe Mode with Networking.

Delete This ransomware's files

  1. Simultaneously press the Windows+E keys.
  2. Enter %APPDATA%\ in the address bar.
  3. Locate and Delete the folder named PadCrypt.

Fix the modifications made to the Windows Registry

  1. Simultaneously press the Windows+R.
  2. Enter regedit in the resulting window.
  3. Locate and Delete the following Value data.
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "PadCrypt" = "%AppData%\PadCrypt\PadCrypt.exe"
    • HKEY_CURRENT_USER\Control Panel\Desktop "Wallpaper" = "%AppData%\PadCrypt\Wallpaper.bmp
  4. Change the Value data of the following keys.
    • HKEY_CURRENT_USER\Control Panel\Desktop "WallpaperStyle" = 1
    • HKEY_CURRENT_USER\Control Panel\Desktop "TileWallpaper" = 0

In non-techie terms:

PadCrypt Ransomware is set to encrypt your personal files and demand that you pay a ransom for the encryption key which only the developers can provide. It uses a strong encryption algorithm that cannot be decrypted with third-party tools. However, we do not recommend that you pay the ransom since the servers that are supposed to provide the decryption key are down. So do not hesitate to get rid of this infection.