PayDay Ransomware - How to remove

PayDay ransomware’s source code is based on the open-source ransomware project Hidden Tear available on While the title of the PayDay ransomware is associated with the short name of the video game Payday: The Heist, developed by Overkill Software. The plot of the game revolves around the group of four robbers, who act together to complete various armed robberies. The theme is adapted to the ransomware, which concept it perfectly fits.

The Picture of PayDay Ransomware

PayDay crypto-malware is programmed to encrypt the following file types with AES-256 algorithm:

.raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .sav, .spv, .grle, .mlx, .sv5, .game, .slot, .dwg, .dxf, .c, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .csv, .efx, .sdf, .vcf, .xml, .ses.

The user of the infected machine is indicated the encrypted files by the .sexy extension appended to them. For example, File.raw is renamed into After the encryption, PayDay crypto-locker displays a ransom note in Portuguese:

Seus arquivos foram Sequestrados!
TODOS os seus documentos, banco de dados, downloads, fotos e outros arquivos importantes foram criptografados utilizando o algoritmo AES (mesma criptografia utilizada pelo governo do EUA) com uma senha alfa-numérica de 150 caracteres gerada a partir deste computador e enviada para um servidor secreto na Internet onde somente eu tenho acesso.
O que fazer?
Para obter essa senha e descriptografar seus arquivos, você terá que pagar uma quantia de R$950,00 em BTC (BITCOIN). Para efetuar o pagamento e obter a senha, siga este pequeno manual:
1. Crie uma carteira BTC aqui: ******
2. Compre R$950,00 BTC com dinheiro em: ***
3. Envie os BTCs comprados para o endereço: *****
4. Acompanhe a transferência em: ******
5. Após o pagamento ser confirmado, envie-me um email requisitando a Senha: [email protected]
6. Logo após, enviarei um arquivo compactado contento dois arquivos: um Decrypter em .exe e a Senha em um .txt
O que é Bitcoin:
1. Ninguém pode te ajudar, a não ser eu!
2. Vocé tem apenas 120 Horas (5 dias) para efetuar o pagamento, caso o contrario eu deletarei a senha.
3. É inútil instalar/atualizar o software Anti Vírus, formatar o computador, fazer BO na delegacia, etc.
4. Seus arquivos só poderão ser descriptografados depois do pagamento.
5. Após vocé descriptografar seus arquivos, formate seu computador, instale um bom Anti Vírus e tome mais cuidado onde clica ?

Its rough English translation would be:

Your files have been hijacked!
ALL of your documents, database, downloads, photos, and other important files were encrypted using the AES algorithm (same encryption used by the US government) with a 150 character alpha-numeric password generated from this computer and sent to a server Secret on the Internet where only I have access.
What to do?
To get this password and decrypt your files, you will have to pay an amount of $ 950.00 in BTC (BITCOIN). To make the payment and obtain the password, follow this small manual:
1. Create a BTC portfolio here: ******
2. Buy R $ 950,00 BTC with money in: ***
3. Send the purchased BTCs to the address: *****
4. Follow the transfer on: ******
5. After payment is confirmed, send me an email requesting the Password: [email protected]
6. Soon after, I will send a compressed file containing two files: a decrypter in .exe and the Password in a .txt
What is Bitcoin:
1. No one can help you but me!
2. You only have 120 Hours (5 days) to make the payment, otherwise I will delete the password.
3. It is useless to install / update the AntiVirus software, format the computer, do BO in the police station, etc.
4. Your files can only be decrypted after payment.
5. After you decrypt your files, format your computer, install a good AntiVirus and be more careful where you click;)

Thus, it can be assumed that PayDay crypto-virus is aimed at Portuguese-speaking users. The ransom note, pasted on the desktop as a HTML file, contains the imagery of the Payday: The Heist game and redirects to the following site:

The ransom note is given the name of !!!!!ATENÇÃO!!!!!, which, translated into English, means !!!!!ATTENTION!!!!!. The hacker/-s of PayDay file-encrypter wants R$950 (Brazilian Reals) payed in bitcoins to 1HGYr8g4Jv9EH6qgvEPFFFN9LYMkivFP7L BTC address. The sum of R$950 is equal to 284.82 USD. This, along with the language of the note, suggest the origin of the coders of PayDay file-encrypter. Five days are given to settle with the criminals. The contact e-mail provided for clearing up the payment requirements is [email protected].

As Regards the Distribution of PayDay Ransomware

PayDay is a trojan ransomware. As it was hinted at the end of the ransom note, users must be more careful, where and what they click. PayDay encrypting trojan is likely to infect the PC of such a user, who clicks the links in spam e-mails and opens their attachments, especially, when these e-mails and their attachments are named like important documentation. Thus, users are advised to keep away from the spam folder of their e-mail box. PayDay file-locker is one of the ransomware viruses, which are spread by launching massive spam e-mail campaigns.

Remove PayDay Ransomware

PayDay encrypting malware is recommended to be removed by running a full system scan with Spyhunter or Malwarebytes. Even though this ransomware is not associated with any other malware, it can possibly be that PayDay ransomware drops some other malware on the infected system. Thus, automatic removal is recommended. Just remember that you need to make the copies of the encrypted files beforehand (for the future decryptor by cyber security experts).

As concerns the decryption of the compromised data, there are three main options at your disposal. First one would be the backup – all the locations other than the local (system) ones – including removable drives, cloud storages, etc. The second option would be checking the local storage known as Shadow Volume Service. The third possibility to recover the lost data is the data recovery software such as Recuva, for instance.

How to recover PayDay Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before PayDay Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of PayDay Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to PayDay Ransomware. You can check other tools here.  

Step 3. Restore PayDay Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually PayDay Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover PayDay Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *