PSCrypt Ransomware

PSCrypt Ransomware should be spreading in Ukraine as the malware’s shown ransom is written in Ukrainian language and names the decryption tool’s price in Hryvnia, which is the mentioned country’s currency. Apparently, the malicious application is programmed to encrypt personal files with a secure cryptosystem; making such data unusable unless the user has a decryption tool to unlock it. The asked sum for such a tool is not particularly large, but we would advise users not to waste any money since there are no guarantees the hackers behind PSCrypt Ransomware will hold to their promise. In other words, they may take the victim’s money without delivering the means to decrypt damaged data. Thus, instead of risking your money, we advise you to see if there are any copies you could find to replace damaged files or try special recovery tools. Also, for the safety of the system, we recommend erasing the infection as soon as possible. If you plan to remove it manually, we suggest using the instructions located below this text.

According to what we have learned while researching PSCrypt Ransomware, it would seem it might be distributed through unsafe Remote Desktop Protocol (RDP) connections. All the hackers have to do is either guess the computer’s password, which can be easy if you have a weak password or brute force the password. Once they get in, they can access user’s data, programs, place their own files on the device, and so on. Firstly, the hackers might disable the device’s firewall and antivirus tool so they would not detect their malicious activities. Then the cyber criminals could simply drop the threat’s launcher onto your system and start it to infect the computer. You could try to prevent this from happening in the future by securing your RDP connections, using only strong passwords, keeping your operating system, antimalware tool, and other software up to date, etc.

What happens when PSCrypt Ransomware infects the system? For starters, the malware should start encrypting personal files, such as photos, pictures, videos, music files, documents, archives, and other data alike with a strong cryptosystem. Each affected file might be marked by placing a specific additional extension at the end of its title, for example, flowers.jpg.pscrypt, text.docx.pscrypt, and so on. Afterward, the malicious application should drop a ransom note; it might be placed on the user’s Desktop or directories containing encrypted files. Our researchers say the document should be titled Paxynok.html. Since it is an HTML file, it can be opened with a browser of your choice. As we mentioned earlier in the text, the note contains message written in the Ukrainian language. In short, it explains what happened to the victim’s data and what can be done to recover it.

The note (Paxynok.html) suggests purchasing decryption tools for 2500 UAH (approximately 96 US dollars). Of course, the sum is asked to be paid in Bitcoins for anonymity, and the hackers threaten the victim will never be able to get back his data if he does not do as they demand. Moreover, the message warns users not to delete PSCrypt Ransomware or run antivirus tools. However, this is exactly what we would advise you to do. The hackers may have a decryption tool, but there are no reassurances they still have your unique decryption key. Not to mention they can take your money without sending it, so who is to tell if they will not trick you. After all such people cannot be trusted as from experience, we can say that there are always cases when users lose their money in vain.

If you do not wish to possibly increase your loss by paying the ransom, we recommend not just ignoring the ransom note, but also erasing it along with the malicious application. To get rid of the malware’s data manually, users could follow the instructions located below the text, although we cannot guarantee they will help users remove PSCrypt Ransomware entirely. Therefore, additionally, we would advise scanning the system with a reliable security tool you trust. It could detect the infection by performing a system scan, and you could eliminate it afterward by simply clicking the given deletion button. Plus, the antimalware tool may clean your system from other possible threats too and keep it protected from the ones you could yet encounter.

Eliminate PSCrypt Ransomware

1. Press Ctrl+Alt+Delete.
2. Choose Task Manager and select Processes.
3. Search for a process that could be related to the infection.
4. Mark the process and press the End Task button.
5. Exit Task Manager.
6. Press Win+E.
7. Check the Desktop, Temporary Files, and Downloads folders.
8. Look for the malicious application’s launcher.
9. Right-click the file you suspect to be the cause of this infection and press Delete.
10. Find the ransom notes (Paxynok.html) and erase them too.
11. Close the File Explorer.
12. Empty the Recycle bin.
13. Reboot the system.