Payransom Ransomware

Payransom Ransomware is an extremely malicious program. It was developed by cybercriminals that specialize in creating this particular type of malware. The people behind this malware have released at least several similar ransomware’s in the recent past. Their purpose is to encrypt most of the files on your PC and request payment for the decryption key. You have to remove this infection if you do not want to pay the ransom. Either way, the cybercriminals might not send you the key after you pay them. There is a slight chance of decrypting the files for free using a decrypter for another program from the same developers.

When this ransomware infects a computer, it drops its executable file in %APPDATA%\{randomly named folder}. The name of the executable should be named in lowercase letters only and no numbers. Another randomly named executable is dropped in %LOCALAPPDATA%\{randomly named folder}. Lastly, it will create a directory at %APPDATA%\System32Work at also contains some files. Also, it will create a string at HKCU\Software\Microsoft\Windows\CurrentVersion\Run that features the name of the executable found in %APPDATA%. If you opt to delete the files manually, then you should look for executables named mogfh.exe, suerdf.exe, wrkms.exe, systmd.exe, and drpbx.exe. These are just a few possible name variations, but they may give you an idea what to look for in the aforementioned folders.

When this ransomware infects a computer, it immediately goes to work. It scans it for files of interest and starts the encryption process. It uses the AES encryption and while encrypting it adds the .payransom extension to the end of the file name of each encrypted file. We want to stress that the AES symmetric block cipher is a tough nut to crack regardless of key length. We do not know for certain what key length it uses, but the key length can be from 128-bit to 192-bit to 256-bit — the longer the key, the stronger the encryption. As mentioned, you can try using the derypter designed for another ransomware called Jigsaw Ransomware. You can get this decrypter at Download.bleepingcomputer.com/demonslay335/JigSawDecrypter.zip. We think that this decrypter might do the trick because both Payransom Ransomware and Jigsaw Ransomware come from the same developers.

After the encryption is complete, this ransomware creates files named EncryptedFileList.txt, Address.txt and a file called dr and places them in C:\Users\User\AppData\Roaming\System32Work. Then, Payransom Ransomware will start showing you a ransom note on your desktop “asking” that you pay 0.4 BTC (Bitcoins) which is 150 USD. If you do not pay within 24 hours, then the ransom will increase to 300 USD, but if you do not pay within 48 hours, then the ransom will increase to 450 USD. We do not know whether the ransom increases more after that point. In any case, there is another problem: to force you to pay the ransom, the cyber criminals have configured this infection to delete an unspecified number of files each hour.

If you do not have Bitcoins, then the developers have that covered as well. You give you a link to Localbitcoins.com where you can purchase them. The developers claim that your files will be automatically decrypted after the payment is made. The developers also claim that the ransomware recrypts everything and deletes more files after every system reboot. So you should not waste time and try using the third-party decrypter whose link we have included in this description.

In closing, Payransom Ransomware is one nasty piece of software that you have to deal with as soon as possible. It is designed to encrypt valuable files and demand money from you if you want to get them back. You can try paying the developers, but you might not receive the decryption key. So try using the free decryption tool and if it does not work, then delete its files using our manual removal guide or SpyHunter which is our program of choice for eradicating this infection.

Terminate Payransom Ransomware’s process

1. Right-click on the Taskbar and select Start Task Manager.
2. Select Processes and find this ransomware’s executable.
3. Right-click on it and click End Process.
4. Close the Task Manager.

Remove this ransomware’s files

1. Press Windows+E keys.
2. Enter the following addresses in the address box.

• %APPDATA%\{randomly named folder}
• %LOCALAPPDATA%\{randomly named folder}

1. Delete the malicious executable.
2. Go to %APPDATA%\System32Work
3. Delete EncryptedFileList.txt, Address.txt and a file named dr

Delete the registry key

1. Press Windows+R keys.
2. Enter regedit in the dialog box.
3. Click OK.
4. In the Registry Editor, go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
5. Locate the file name of the executable found in %APPDATA%
6. Right-click and click Delete.