Payfornature Ransomware - How to remove

Payfornature Ransomware

Payfornature (or PayForNature) ransomware is a new file-encrypting threat associated with JohnyCryptor ransomware virus. This association is based on the ‘‘’’ e-mail provider found in the appended filename extension shared by these two severe cyber threats. Note, PayForNature virus has nothing to do with the preservation of nature and paying these greedy cyber criminals will not save any rainforest tree, believe us.

About Payfornature Ransomware

Payfornature cryptomalware targets not only your personal files but also program files. This means that this virus not only makes your files inaccessible but also causes your programs to malfunction or not to function at all. Yet, Payfornature ransomware leaves %WINDIR% directory untouched and files having Microsoft signature are too tough nuts to be cracked by it. This crypto-malware appends the following extension to the extensions of encrypted filenames: .id-B5611024.{[email protected]}.crypt. The numbers and letters in the extension are random. The infected file will look something like this:{[email protected]}.crypt. As you can see, the contact e-mail is already included in the extension. After the encryption has been successfully accomplished, How_to_decrypt_your_files.txt file pop in every folder of encrypted files and How_to_decrypt_your_files.jpg file swaps your desktop wallpaper. The two files carry the ransom message. The message is:

Your files are encrypted because you don’t give enough attention to the safety of your system.
To decrypt your data, you need to pay us. After payment we will send you the encoder.
We are not liars or cheaters. You pay – we help.
The more time you wait before you pay = the more expensive price. It’s simple. Be reasonable.
Now the price is 3 BTC. After 24 hours, the price will grow to 5 BTC.
Bitcoins buys here
Our purse 1Na3GVsnSwxVSDhcd8WWrvdyqTGPodYJfk

3 BTC (Bitcoins), converted to US dollars, amount to 1,991.35 USD at the moment of writing this article. Respectively, 5 BTC equals to 3,318.39 USD. Quite a sum not to be played ducks and drakes with, that is to say, not to be transferred to the cyber crooks behind Payfornature crypto malware.

How is Payfornature Ransomware Spread?

Payfornature virus Trojan is spread via spam e-mails. It is not specified what kind of spam e-mails distribute this virus. It is generally known that ransomware Trojans make an attempt to pretend local authorities or tricks the victim into opening the e-mail with an unindicated sender. The payload of this ransomware virus is embedded in DOCX, RAR or ZIP files which require macro to be enabled. Once the e-mails or, specifically, their malicious attachments are opened and the macro function is enabled, the executables of Payfornature ransomware begin to plague your computer.

How to Decrypt Files Encrypted by Payfornature Ransomware?

RakhniDecryptor by KasperskyLab has proved to be effective in some cases of number_”@” infection. RannohDecryptor has been also reported to solve the issue of similar viruses. You can follow the links: and for support. Needless to say, if you have backup, you only need to remove Payfortunate malware from your computer’s system. Shadow Volume Service may be unaffected, but there is a slim chance that you will retrieve your data this way. For the time being, make a copy of your infected drive, if the recommended Kaspersky decryptors (or data recovery tools, e.g. Recuva, etc.) do not work, remove this virus until it encrypts further data and brings about more damages and wait for the decryptor to be released (we know it is easier said than done).

Spyhunter or Hitman are powerful enough malware removal tools to fight such encryption Trojans as Payfornature is. Every minute counts. So do not hesitate. Manual removal can be implemented following the step-by-step instructions provided below.

How to recover Payfornature Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Payfornature Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Payfornature Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Payfornature Ransomware. You can check other tools here.  

Step 3. Restore Payfornature Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Payfornature Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Payfornature Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *