If your personal files does not open normally, their names replaced or .[firstname.lastname@example.org]-id.7DA0.payday, .[email@example.com]-id-1BA3.payday added at the end of their name then your computer is infected with a new Payday ransomware from a family of the BTCWare ransomware. Once started, it have encrypted all photos, documents and music stored on a computer drives and attached network drives.
The Payday ransomware is a virus, which developed to encrypt the personal documents, photos and music found on infected personal computer using strong encryption method, appending the .payday extension to all encrypted personal files. Once the encryption procedure is finished, it will display a ransom demanding message offering decrypt all users documents, photos and music if a payment is made.
In order to decrypt all photos, documents and music, the Payday ransomnote offers victim to contact virus’s makers through the following email addresses:
- firstname.lastname@example.org (by information from BleepingComputer forum)
These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. Especially since you have a chance to restore your personal files using free tools such as ShadowExplorer and PhotoRec.
We advise you to remove Payday ransomware ASAP, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the step-by-step guide below that will help you to completely remove Payday ransomware from your PC as well as recover encrypted photos, documents and music, using only few free utilities.
Table of contents
- What is Payday ransomware virus
- How to decrypt .payday files
- How to remove Payday ransomware virus
- Restoring files encrypted with Payday ransomware
- How to prevent your system from becoming infected by Payday ransomware?
- How does your computer get infected with Payday ransomware
- To sum up
What is Payday ransomware virus
Payday is a variant of crypto viruses (malicious software that encrypt personal files and demand a ransom). It affects all current versions of Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key which will allow to decrypt encrypted documents, photos and music.
When the virus infects a PC system, it uses system directories to store own files. To run automatically whenever you turn on your PC, Payday virus creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.xll, .avi, .gdb, .xwp, .srf, .xls, .cer, .qic, .r3d, .wbk, .bik, .crw, .mdb, .wpg, .wp4, .tor, .svg, .map, .pak, .sum, .odp, .x3d, .pst, .x3f, .mddata, .sav, .wpt, .wn, .png, .layout, .zabw, .itm, .pptm, .vpp_pc, .cr2, .d3dbsp, .psk, .xml, .dbf, .pkpass, .ybk, .wbmp, .hkdb, .der, .m2, .xdl, .bay, .zip, .wmv, .xar, .1st, .sb, .snx, .flv, .mp4, .py, .3fr, .das, .2bp, .raf, .wsh, .wire, .db0, .rim, .jpeg, .bsa, .kf, .jpg, .rw2, .fsh, .xmind, .eps, .rwl, .wpd, .sidd, .mlx, .doc, .3ds, .mov, .wma, .wbm, .xbdoc, .odt, .cas, .cfr, .p12, .wps, .iwi, .rgss3a, .sql, .wot, .accdb, .wmo, .wcf, .wsd, .pfx, .sis, .jpe, .ztmp, .apk, .wbz, .wma, .wps, .xpm, .sr2, .vpk, .ppt, .itdb, .upk, .m4a, .nrw, .zdb, .wri, .ws, .crt, .y, .vdf, .txt, .dmp, .hplg, .1, .wgz, .ntl, .xlgc, .dba, .wav, .xlsb, .wm, .xmmap, .litemod, .pem, .vfs0, .bkf, .t12, .wotreplay, .esm, .wpb, .hvpl, .desc, .ncf, .dwg, .zi, .xbplate, .cdr, .xx, .wbc, .mdbackup, .dazip, .z, .srw, .syncdb, .sidn, .wdb, .p7b, .mdf, .xld, .docm, .p7c, .wmv, .z3d, .3dm, .webdoc, .blob, .vtf, .dng, .zif, .dxg, .zw, .bkp, .gho, .0, .xlsx, .xyw, .xy3, .xyp, .wsc, .odc, .bc6, .wb2, .ai, .wpa, .pptx, .wpl, .lbf, .vcf, .ods, .bc7, .arch00, .indd, .epk, .wmd, .qdf
Once a file is encrypted, its extension changed to .payday. Next, the virus creates two files called “payday.hta” and “!! RETURN FILES !!.txt”. These files contain information on how to decrypt all encrypted documents, photos and music. An example of the info is:
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Checkzip@india.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. hxxps://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The Payday ransomware actively uses scare tactics. It is trying to force the user of the infected system, do not hesitate to pay a ransom, in an attempt to restore their files.
How to decrypt .payday files
Currently there is no available solution to decrypt .payday files, but you have a chance to restore encrypted documents, photos and music for free. The ransomware virus repeatedly tells the victim that uses strong encryption method. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the makers of the Payday ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the creators of the Payday ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
How to remove Payday ransomware virus
The Payday ransomware virus can hide its components which are difficult for you to find out and remove completely. This can lead to the fact that after some time, the ransomware once again infect your computer and encrypt your photos, documents and music. Moreover, I want to note that it’s not always safe to get rid of virus manually, if you don’t have much experience in setting up and configuring the MS Windows operating system. The best way to find and remove Payday ransomware is to run free malicious software removal applications which are listed below.
Remove Payday virus with Zemana Anti-malware
Zemana Anti-malware is a utility which can remove viruses, adware, potentially unwanted programs, hijackers and other malicious software from your computer easily and for free. Zemana Anti-malware is compatible with most antivirus software. It works under Windows (10 – XP, 32 and 64 bit) and uses minimum of machine resources.
- Please go to the following link to download Zemana Anti Malware (ZAM). Save it on your Microsoft Windows desktop.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
- At the download page, click on the Download button. Your web-browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- After the downloading process is finished, please close all applications and open windows on your computer. Next, launch a file called Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana onto your PC system. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will open and open the main window.
- Further, click the “Scan” button for scanning your machine for the Payday ransomware virus and other security threats. This procedure may take some time, so please be patient. When a threat is found, the number of the security threats will change accordingly. Wait until the the scanning is complete.
- When Zemana Free has finished scanning your computer, a list of all threats detected is produced.
- All detected items will be marked. You can get rid of them all by simply click the “Next” button. The tool will delete Payday ransomware and other malicious software and PUPs and add threats to the Quarantine. Once disinfection is complete, you may be prompted to restart the system.
- Close the Zemana and continue with the next step.
Use Malwarebytes to get rid of Payday virus
You can delete Payday ransomware virus automatically with a help of Malwarebytes Free. We recommend this free malicious software removal tool because it can easily remove ransomwares, adware, PUPs and toolbars with all their components such as files, folders and registry entries.
Click the link below to download MalwareBytes Anti Malware (MBAM). Save it directly to your Microsoft Windows Desktop.
Category: Security tools
Update: November 9, 2017
After the download is done, close all applications and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as shown below.
When the setup starts, you’ll see the “Setup wizard” which will help you install Malwarebytes on your system.
Once install is finished, you will see window as displayed on the screen below.
Now press the “Scan Now” button for checking your PC system for the Payday ransomware virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your personal computer. While the utility is checking, you can see count of objects and files has already scanned.
When the scan get finished, the results are displayed in the scan report. Make sure all threats have ‘checkmark’ and press “Quarantine Selected” button.
The Malwarebytes will now remove Payday ransomware virus related files, folders and registry keys and move items to the program’s quarantine. When finished, you may be prompted to reboot your computer.
The following video explains tutorial on how to remove browser hijacker, adware and other malicious software with MalwareBytes.
Use KVRT to delete Payday ransomware
If MalwareBytes anti malware or Zemana antimalware cannot delete this ransomware virus, then we advises to run the KVRT. KVRT is a free removal tool for ransomwares, adware, potentially unwanted software and toolbars.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below. Save it to your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
After downloading is complete, double-click on the KVRT icon. Once initialization procedure is finished, you will see the Kaspersky virus removal tool screen as shown in the figure below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to begin checking your system for the Payday virus and other trojans and harmful apps. While the utility is checking, you can see how many objects and files has already scanned.
After the scan get finished, you can check all items detected on your PC as shown below.
You may move threats to Quarantine (all selected by default) by simply click on Continue to start a cleaning task.
Restoring files encrypted with Payday ransomware
In some cases, you can restore files encrypted by Payday ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Use shadow copies to restore .payday files
In some cases, you have a chance to restore your documents, photos and music which were encrypted by the Payday ransomware. This is possible due to the use of the utility named ShadowExplorer. It is a free program which made to obtain ‘shadow copies’ of files.
Download ShadowExplorer from the link below. Save it on your MS Windows desktop.
Category: Security tools
Update: February 12, 2016
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as on the image below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed in the following example (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export as shown in the following example.
Use PhotoRec to restore .payday files
Before a file is encrypted, the Payday virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file recover programs like PhotoRec.
Download PhotoRec by clicking on the link below. Save it on your Microsoft Windows desktop or in any other place.
Category: Security tools
Update: March 23, 2016
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will show a screen as displayed in the following example.
Select a drive to recover as displayed in the figure below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown in the figure below.
Click File Formats button and choose file types to recover. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, press Browse button to choose where restored photos, documents and music should be written, then press Search.
Count of recovered files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as displayed in the figure below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to prevent your system from becoming infected by Payday ransomware?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus application, make sure you install it. As an extra protection, run the CryptoPrevent.
Use CryptoPrevent to protect your machine from Payday ransomware virus
Download CryptoPrevent by clicking on the following link. Save it on your MS Windows desktop or in any other place.
Run it and follow the setup wizard. Once the setup is finished, you’ll be shown a window where you can choose a level of protection, as shown in the figure below.
Now click the Apply button to activate the protection.
How does your computer get infected with Payday ransomware
The Payday ransomware virus is distributed through the use of spam emails. Below is an email that is infected with a virus like Payday virus.
Once this attachment has been opened, this virus will be started automatically as you do not even notice that. The Payday virus will begin the encryption procedure. When this procedure is finished, it’ll display the usual ransom instructions like above on “payday.hta” and “!! RETURN FILES !!.txt”.
To sum up
After completing the steps shown above, your PC system should be clean from Payday ransomware and other malware. Your machine will no longer encrypt your personal files. Unfortunately, if the tutorial does not help you, then you have caught a new ransomware virus, and then the best way – ask for help in our Spyware/Malware removal forum.