paydra@cock.li Ransomware Removal Guide

Do you know what paydra@cock.li Ransomware is?

When paydra@cock.li Ransomware attacks, it does it silently. In fact, you might execute this infection yourself, without even realizing it. That is because it is likely to conceal itself as a document file, and it should be sent to you via email using a deceptive, misleading message. Once the infection is executed, it starts encrypting files, which is also done silently. Only after all of the malicious processes are complete, the infection reveals itself using a launched window and a .TXT file. Unfortunately, by that time, the files are already encrypted, and recovering them is not possible. You are safe if you have backups stored someplace else – for example, a virtual cloud or an external drive – which you can use to replace the corrupted files after deleting the infection. So, how should you remove paydra@cock.li Ransomware? Continue reading, and you will find out.

According to our malware research team, paydra@cock.li Ransomware is also known by a different name – “HTML Ransomware.” The original name derives from the email address that the attackers use, and the second name comes from the extension that is attached to the encrypted files. In fact, the extension is “.id-{code}.[paydra@cock.li].html,” and so both names are completely valid. This malicious threat comes from the Crysis/Dharma Ransomware family, and that means that it is similar to such threats as basecrypt@aol.com Ransomware, 0day Ransomware, or bestdecoding@cock.li Ransomware. In fact, in many ways, these infections are identical. They all encrypt files, and they all drop a text file and launch a window. The malicious paydra@cock.li Ransomware creates the “RETURN FILES.txt” file, and the message carried by it suggests writing to paydra@cock.li, of course. The window that the threat launches is named “paydra@cock.li” too, and the message represented via it is more detailed.paydra@cock.li Ransomware Removal Guidepaydra@cock.li Ransomware screenshot
Scroll down for full removal instructions

The ransom note delivered by paydra@cock.li Ransomware suggests that files were encrypted using the RSA-1024 encryptor and that only a special key can be used to restore them. The message also suggests emailing the attackers, and since there is no other information as to how the files can be restored, you might consider this option. Wait a moment. If you send a message to the attackers, they could save your email address and use it to expose you to phishing scams and, potentially, other malware installers. The note also mentions that money would have to be paid for the key. That does not surprise us because the vast majority of file-encrypting threats are created for the sole purpose of making money. Well, paying it is a risky thing because cyber criminals are not accountable, and they do not need to keep their promises and help you recover your files after the payment.

Needless to say, you must delete paydra@cock.li Ransomware. Of course, that will not save your files, but it will make your operating system safer, and you will be able to assess the damage and, hopefully, replace the corrupted files with backup copies. The removal of this infection might be quite complicated because the names of some of the components are random. Manual removal, of course, is not the only option, and our research team suggests that installing reliable anti-malware software is the better option anyway. If you install this software, your operating system will be secured, and you will not need to worry about new threats. On top of that, all infections will be deleted automatically.

Remove paydra@cock.li Ransomware

  1. Tap Win+E keys to launch Windows Explorer.
  2. Enter the following lines into the quick access field to find and Delete the file named Info.hta:
    • %APPDATA%
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  3. Enter the following lines into the quick access field to find and Delete the {unknown name}.exe file:
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  4. Tap Win+R keys to launch the Run dialog box.
  5. Enter regedit into the box and click OK to access the Registry Editor.
  6. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  7. Delete 3 values whose value data point to %APPDATA%\Info.hta, %WINDIR%\System32\Info.hta, and %WINDIR%\System32\{unknown name}.exe files.
  8. Finally, Delete the ransom note file called RETURN FILES.txt.
  9. Empty Recycle Bin and then immediately perform a full system scan (use a legitimate malware scanner).

In non-techie terms:

If you face paydra@cock.li Ransomware, your operating system is vulnerable. That is something that you need to think about seriously. Sure, at this time, you might be most worried about the decryption of your files and the removal of the infection, and that is perfectly understandable. Unfortunately, it is unlikely that files can be decrypted because a free decryptor does not exist, and you are unlikely to obtain the one offered by the attackers; even if you pay the ransom. If you have backups stored outside – you are in luck. Quickly delete paydra@cock.li Ransomware, and then restore your files from backup. If you cannot restore your files, you might have to admit defeat. To ensure that you do not face malware and lose your personal files in the future, you need to think about reliable protection. How about installing anti-malware software? It could automatically delete the infection too! If you are not interested in that, start by eliminating the ransomware using the guide above.