Click on screenshot to zoom
Danger level 5
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel Ransomware

If you find out that Ransomware has managed to infiltrate your system, chances are you are going to lose all your files with a few exceptions. Of course, if you are the security-minded type, you may have a backup saved and stored in cloud or on a portable device. Our researchers have examined this dangerous threat in our internal lab and found that it is an almost identical variant of "BTCWare Ransomware" (or "BTCWare-PayDay Ransomware"). This ransomware can encrypt almost all your files, including all your media files, databases as well as your .exe files. As a matter of fact, you may be able to find working free file recovery tools for its previous variants and they might work in this case; however, it is more likely that such a tool needs to be updated as well so it may take some time for malware hunters to come out with a new version. In any case, we recommend that you remove Ransomware immediately since it can restart automatically with every reboot of your operating system.

The worst thing about this malicious attack, apart from losing all your files, is probably the fact that it may be you who let it crawl on board. This ransomware may come as a malicious attachment in a spam e-mail. You need to open this mail and click to view its attachment in order for this attack to be initialized. This means that you could have stopped after even opening this mail. However, it is quite likely that you wanted to see this attached file, too, because otherwise you would not have this dangerous malware infection on your system now. But do not beat yourself up too much about this infection because you need to understand that cyber criminals have evolved and nowadays they can use spams that even more experienced users would fall for.

Such a spam can, for example, pretend to come from government institutions, the police, parking authorities, airlines, and other well-known companies. This is to make sure that you do not doubt the mail right away. Then, the subject line may also make you feel like it is an important mail that you need to check out right away. Please remember that this spam may never really contain any useful information about the alleged urgent matter (e.g., unpaid invoice or fine) but instruct you to see the attached file for more information. This should already raise the red flag and stop you right there. Opening this attached file means activating this severe hit on your system. Usually this would also mean that you cannot delete Ransomware in time because you will only know about its presence once it has finished encrypting your files.

As we have said, this new variant of BTCWare Ransomware is practically identical to its predecessor, the only difference being the contact e-mail address used in the ransomware. This is a dangerous threat since it does not only attack your photos, documents, and databases, but most of the files on your system, including .exe files, and almost everywhere on your system. The only exceptions are Microsoft applications and your operating system folders. This obviously causes huge devastation. All the encrypted files get a ".[]-id-AD0.wallet" extension. This malware infection drops a ransom note text file called "! How Decrypt Files.txt" in every affected folder. In addition to these files, it also creates a special ransom note as "%APPDATA%\payday.hta." This file is referred to by four separate points of execution created in the Registry, which means that it is made sure that this ransom note comes up on your screen every time you try to restart your computer.

The ransom note only tells you to send an e-mail to and the price of the decryption will depend on "how fast you are." You have to pay in Bitcoins but there are no more details revealed. It is possible that you will have to pay hundreds of dollars' worth of Bitcoins for the decryption key or tool. You can send up to three very small and unimportant files to decrypt for free so that you can have proof. Nevertheless, we do not think it is a good idea to contact these criminals since you may not get anything in return in the end. We advise you to remove Ransomware as soon as possible and try to recover your files in alternative ways.

If you want to take out this dangerous threat, you can follow our instructions below. But, if you do not have the courage to do so or consider it risky, you can always install a reliable malware removal application like SpyHunter, which could automatically detect and eliminate all known threats on your system as well as protect your PC against future attacks. It is also important to keep in mind that your programs and drivers need regular updating to keep cyber attacks as far away as possible.

How to remove Ransomware from Windows

  1. Press Win+E.
  2. Locate and delete the malicious file launched.
  3. Remove the ransom note "%APPDATA%\payday.hta" and all "! How Decrypt Files.txt" from affected folders.
  4. Empty your Recycle Bin.
  5. Press Win+R and type regedit. Click OK.
  6. Delete these points of execution:
  7. Exit your editor.
  8. Restart your computer.
Download Spyware Removal Tool to Remove* Ransomware
  • Quick & tested solution for Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.