Payms Ransomware Removal Guide

Do you know what Payms Ransomware is?

If your system gets hit by Payms Ransomware, there is a chance that you lose all your files, including videos, pictures, documents, and third-party program files. Our researchers have found that this infection is indeed a new variant of a previous malware program called Jigsaw Ransomware. It is possible that there are several different versions circulating on the web; therefore, there may be slight modifications in certain traits, such as the folders used, the ransom note, and the ransom amount. This infection makes sure that you do not rush to delete it since you are threatened not to do so unless you want all your files deleted. This is all about pushing you to pay the ransom fee. Nevertheless, do not expect getting your files unlocked. Keep in mind that these are criminals who most probably could not care less about your situation. Of course, we cannot stop you from paying, but we would like to share with you what our researchers have learnt while testing this ransomware in our internal lab. We advise you to remove Payms Ransomware immediately since this time you can actually find a working decryption tool on the web that can save your files from becoming useless.

Ransomware infections are probably one of the most dangerous ones that can hit your computer. These malware programs usually use Trojans to enter your system. Contrary to popular belief, these infections most often need you to initiate them and they do not just show up mysteriously out of the blue. Payms Ransomware has been found to be spread as a malicious file attachment in spam e-mails. Have you got any suspicious mails lately that had a Word or PDF document attached? The spam mails this ransomware is distributed in can be very misleading. The main idea behind these mails and their attachment is that they make you believe that they are important for you to see. Otherwise, you would not activate the threat. Hopefully, you can see now why it is so vital that you be cautious opening your mails. Just because you find a mail in your inbox it does not mean it is safe to open it even if you are seemingly protected by a spam filter. Criminals have their ways to evade such filters. They use deceptive techniques to fool spam filters and users as well. Otherwise, they could not infect computers, right?

After you make the mistake of downloading this attached malicious “document,” which is indeed an executable file that activates Payms Ransomware, the next mistake you probably make is trying to run it. This is the moment of activation and the point of no return. Even if you delete Payms Ransomware, it will most likely be too late. The reason is simple. Once this infection starts up, it may only take a few minutes for it to encrypt all the targeted files in all your folders, including Program Files, Temp, and Windows. This ransomware uses an AES algorithm for the encryption of your files that includes the following extensions: .3gp, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .class, .cs, .csv, .jpeg, .jpg, .js, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .png, .pps, .ppsx, .ppt, .pptx, .ps, .psd, .raw, .rtf, .sql, .svg, .swf, .tif, .txt, .vob, .wav, .wma, .wmv, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xml, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .indb, .indd, .jar, .java, and more.

All the encrypted files get a unique extension that can be ".payms", ".paymst" or ".pays" depending on the version. It is possible that in the near future there will be more extensions used by this infection but these all belong to the same ransomware. Once the vicious process terminates, “Payment_Instructions.txt” is created on your desktop and the ransom note will also be opened in a window. This note informs you that you must pay 150 USD worth of Bitcoins so that your files can be unlocked. If you do not pay this fee in the first 24 hours, the amount will increase (225 USD). You may feel threatened by this note and you may also feel the urge to pay. But let us tell you this: There is no guarantee that your files will get decrypted. This problem is twofold. First, it is possible that these criminals have no intention whatsoever to decrypt your files. Second, what if the Command and Control server has to be shut down (which can happen anytime) and Payms Ransomware cannot communicate with it. In other words, even if you transfer the money, there is a chance that your files cannot be decrypted because of a communication failure. It is up to you to make this decision though. But you may also want consider what we have to tell you.

Our research shows that there is a working recovery tool for Jigsaw Ransomware that has been updated to work for Payms Ransomware as well. This is certainly great news because it means that you do not have to pay any money and yet your files could be possibly saved. We do not suggest that you try to download and use such a tool yourself unless you are an advanced-level computer user. If you are inexperienced, you could ask a friend or a professional to help you out on that front. However, before you rush to decrypt your files, we recommend that you remove Payms Ransomware right away. And, this is what you should also do if you have a backup copy of your files and intend to transfer them back onto your PC.

In order to delete Payms Ransomware, first, you should terminate the malicious process by deleting the related registry entry. Then, you should locate and bin its folder in the “%LOCALAPPDATA%” and “%Appdata%” folders. Please follow our guide below this article if you need assistance. It is possible to protect your computer from a great number of malware infections, including Trojans and ransomware, if you become a more careful web surfer. However, the best protection that gives you the biggest freedom is the use of a professional malware removal application. If you install security software, just keep it active and updated regularly and you should have no more issues with malware.

Payms Ransomware Removal from Windows

  1. Tap Win+R and enter regedit. Press OK.
  2. Find and delete the malicious value name with value data “%LOCALAPPDATA%” or “%Appdata%” in the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.
  3. Close the registry editor.
  4. Tap Win+E to open File Explorer.
  5. Locate and bin the malicious folder in the “%LOCALAPPDATA%” and “%Appdata%” directories.
  6. Delete the “Payment_Instructions.txt” from your desktop.
  7. Empty your Recycle Bin.
  8. Reboot your PC.

In non-techie terms:

Payms Ransomware has proven to be a new version of the well-known Jigsaw Ransomware. This malware infection can infiltrate your system behind your back and encrypt most of your files on your computer within a few minutes. You are demanded to pay $150 worth of Bitcoins to these criminals to unlock your files. If you tamper with the program, your files will be deleted; this is how you are forced to pay in time and not try to remove Payms Ransomware. However, this is exactly what we suggest that you do. If you leave this dangerous infection on your system, you will never be safe. Fortunately, you may be able to find a file recovery tool that works just fine. So even if you do not have a backup copy of your files, it is possible that you can recover them. If you want to make sure that your virtual world and your stored data are secure, you should employ a reliable anti-malware application.