What is Payms ransomware
Payms virus is yet another example of ransomware. This threat was created based on Jigsaw virus code, which is reportedly on sale in Dark Web forums for 139 USD. This virus encrypts victim’s files and demands 150 USD, but if the victim does not pay within 24 hours, the ransom price increases to 225 USD. However, it seems that cyber criminals ask for way smaller ransoms than they used to because computer users are already aware of ransomware threats, and also the majority of them refuse to pay the ransom.
Payms ransomware adds .pay, .payms or .paymst file extensions to encrypted files, and leaves ransom notes in the computer system, called Payment_Instructions.txt. You can find a copy of this file on the desktop, as well as in all folders that contain some encrypted data. The ransom note informs the victim that all data on the computer has been encrypted, and there is no other way to decrypt it than to pay a ransom. The note is written in English and Spanish languages, and it also informs that if the victim attempts to tamper with the virus, all files will be deleted. It provides instructions on how to buy Bitcoins and says that the victim must transfer them to a provided address if he/she wants to access his/hers files ever again. According to crooks, they will eliminate the virus and decrypt the data after the payment is made.
Payms Ransomware – Distribution
Payms ransomware can distribute via a couple of ways. Your computer could get infected with the crypto-virus through spam e-mails which have an attachment with malicious code inside them. If the attachment is opened, malware might be injected inside your computer system. The file possibly has a name such as firefox.exe or something similar, so to try and trick you.
Past variants of the presently named Payms ransomware were delivered through social media sites and some file-share system, too. DropBox could still be a way of distribution as the original variant of the ransomware used that as well. Avoiding all suspicious files, links, and websites is a highly recommended action as there you might find malware such as this one.
Payms Ransomware – Technical Description
The Payms crypto-virus is classified as ransomware. All of your files will be encrypted and become unusable. The malware demands BitCoins as the payment method for the ransom. If you do not meet certain criteria, your files will get deleted on an hourly basis, and the ransom price will increase. No real theme is used for this ransomware (as past variants used themes), but just plain text.
In the directories %AppData% and %LocalAppData% files may be created to assist the ransomware with its operations.
The Windows Registry may undergo modifications as well. The following registry value is added respectively:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random name].exe %UserProfile%\AppData\Roaming\[directory to that exe]
The registry value set in the Registry will automatically load a specific executable, related to the ransomware. Every start of the Windows Operating System will load the file which executes the Payms ransomware.
Paying the ransom asked by the Payms ransomware is highly unadvised. You cannot receive any guarantee from anyone that you will get your files back and that they will work properly as before. Giving money to the cyber criminals will support them to make other crimes or improve the ransomware. Be aware, that at the end of the article you can find restoration methods described. A decryptor is also present thanks to the malware researcher Michael Gillespie.
The Payms ransomware searches for files to encrypt them on all kinds of storage devices – HDDs, SSDs, internal and external. This variant will also search for files with more than 120 extensions. The file list is the following:
.3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java
The AES algorithm keeps being the one used for the encryption process of this variant of the Jigsaw ransomware. The ransomware sets .payms as the extension of all encrypted files. The .paymst and .pays extensions could be used for encryption in other versions. It is stronly Recommended to remove Payms ransomware soon from your computer.
Step 1 - Uninstall Payms ransomware From Win 10 /Win 8/Win 7/Vista/XP
Open Control Panel On Windows 10
- Click Start Menu >> click Settings
- Double-click System
- Click Apps & features >> Select Payms ransomware or related harmful program >> Click Uninstall when the button appears
Open Control Panel On Win 8
- Click the File Explorer icon on the bottom left corner of desktop to open Libraries window.
- Click Desktop in right side bar >> double click Control Panel
Open Control Panel On Windows 7/Vista/XP
- Click Start Menu >> Click Control Panel
Removal Of Payms ransomware From Control Panel
- In Control Panel, click Uninstall a program
- Click Installed On tab to find out Payms ransomware and unwanted programs >> Click Uninstall button after selecting a program
Step 2 - Clear up malicious files of Payms ransomware in Registry
- Press Windows + R keys at the same time to open Run window
- Type regedit and click OK :
- Locate and clear up the malicious registry files of Payms ransomware virus:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “DisableTaskMgr” = ‘1'
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\[virus name]
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownload “CheckExeSignatures” = ‘no’
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMain “Default_Page_URL”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced “ShowSuperHidden” = 0'
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Muvic_RASAPI32
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{RANDOM}
Reset your homepage page To Remove Payms ransomware Virus
Reset Microsoft Edge Browser
- Select More (…) on the address bar, then Settings
- Under Open with, select A specific page or pages
- select Custom to enter the URL of page you want to set as homepage
Reset IE Browser
- Open Internet Explorer.
- Click the Tools button, and then click Manage add-ons.
- Click Toolbar and Extensions, then select Payms ransomware and related extensions and click Disable
Reset Firefox Browser
- Click the menu button and choose Add-ons to open Manager tab
- In the Add-ons Manager tab, select the Extensions or Appearance panel.
- Select the Payms ransomware and related add-on you need to remove.
- Click the Remove button.
Reset Chrome Browser
- Click the hamburger menu icon on the Google Chrome toolbar and then More tools.
- Select More tools from the menu.
- Select Extensions from the side menu
- Click the trash can icon link next to Payms ransomware extension or related extension you wish to remove.
Download Automatic Payms ransomware Removal Tool
If you are not able to remove Payms ransomware virus manually from your computer system or you are getting any problem in removing this threat from your PC then you are advised to use Automatic Removal Tool. it is an advanced and powerful malware removal tool that can easily delete all kind of harmful threats and malware from your system. You can download the trial version of this tool to detect Payms ransomware virus on your PC. Once you feel satisfied with the detection then you can purchase this program to remove the threat permanently.
How To Remove Payms ransomware With Automatic Removal Tool
Step 1 - Install the software on your computer and click scan computer now button
Step 2 - Click on Fix Threats Now to remove all detected viruses or malware.
Step 3 - Use Custom Scan feature to scan any specific part of computer.
Step 4 - Configure Scan Scheduler option to ensure the safety of your PC.
Click here to learn more: - http://www.removepcvirusmalware.com
Very nice and Valuable Articles, you have posted. I admire your work. As you share good stuff with good Ideas and Concepts. This Post has been really helpful for me in removing Jigsaw Ransomware from my System.
ReplyDeleteThank you for sharing those useful Knowledge among us. To learn more about ransomware and protection you can read this post Protect your pc from Ransomware
ReplyDelete