Payms Ransomware

Posted by Max Lehmann on June 10, 2016

What is Payms Ransomware?

Payms Ransomware is a serious threat if it manages to “set foot” on your operating system. This ransomware seems to be a new variant of Jigsaw Ransomware, which is reported to be sold on the Dark Web for $139. Infecting your system with this malware serves only one purpose: To extort money from you for decrypting your files. So after encrypting your personal files practically in all directories, you are informed about the payment method. This is a sensitive matter whether you pay or not and is totally up to you. But we do not recommend paying since these criminals may not decrypt your files even if you pay and there could be technical failures too in this process, which could sabotage the decryption. Also consider what your files are worth to you because a few old documents and pictures may not be a big loss. As a matter of fact, you should also be able to find a working file recovery tool since our malware experts at anti-spyware-101.com say that the decrypter used for Jigsaw has been updated and should work for this ransomware as well. Nevertheless, most importantly, you should remove Payms Ransomware right away in order to stop this nightmare.

Where does Payms Ransomware come from?

According to our specialists, this infection is mostly spread via spam e-mails. The malicious file could be disguised as a .doc or .pdf document. You need to be very cautious when you open e-mails in your inbox. You may think that all mails that you find there are safe to open. Unfortunately, this is not true. Such a spam can evade your spam filter and end up in your inbox. What is worse, this spam can look like a mail that you need to urgently check including its attachment. The subject of this spam can refer to an invoice that needs to be revised or paid, or a fine you have not settled; practically anything that can make you click on the mail and download the attached malicious file.

Knowing this you may be able to prevent similar infections from entering your computer. All it takes is a little more attention on your part. Do not open suspicious mails and their attachments; this is a basic rule. Of course, criminals and their methods evolve too and their spams may actually look like a legitimate mail. Therefore, it is up to you to understand the risks. We believe that it is always better to double-check if a mail and its attachment were really meant for you to receive than ending up with a major threat, such as Payms Ransomware. If this infection managed to sneak onto your machine, it is quite likely that you do not have proper protection, i.e., an anti-malware application installed. Therefore, we suggest that after you remove Payms Ransomware from your system, you run a reliable malware scanner to identify all other possible threats.

How does Payms Ransomware work?

This ransomware uses the AES (Advanced Encryption Standard) algorithm, which is indeed a built-in Windows encryption algorithm. The targeted file extensions are the following: 3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .raw, .rb, .rtf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, and .java. As you see, Payms Ransomware takes a lot of hostages. In fact, most of your documents, photos, videos, music and program files get encrypted and their extensions modified to ".payms", ".paymst," or ".pays." Once the damage is done, a text file called “Payment_Instructions.txt” is placed on your desktop.

The ransom note will also open on your desktop and informs you about the encryption and that you have to pay $150 in Bitcoins to get your files back. If you fail to pay within 24 hours, the fee becomes $225. You are also threatened that if you try to tamper with this program, all your files will be deleted. Obviously, this could scare a lot of inexperienced computer users, who would rush to get some Bitcoins to pay the ransom ASAP. However, before you decide to ease your bank account with that amount and reject the idea of removing Payms Ransomware, we would like to give you some food for thought.

First of all, there could be technical failures. This means that Payms Ransomware may lose connection with the C&C (Command and Control) server through which it could retrieve your decryption key or the criminals could initiate the decryption process. It is quite clear that without connection it is impossible. In other words, even if you have paid the fee, you may not be able to recover your files. Another possible scenario is that these criminals have no intention at all to decrypt your files once they get your money. Finally, this ransomware may have a working decryption tool on the web. Our specialists say that it is possible to find and updated version of the Jigsaw tool. We do not recommend that you try to download it and use it if you are not an advanced computer user. It would be best to find an IT expert friend or talk to a professional. But before you go about decrypting your files, you should delete Payms Ransomware from your system.

How to delete Payms Ransomware

If you have made up your mind and you are ready to act, here is what you should do to remove Payms Ransomware from your PC. First of all, you should kill the process that this infection is running. Since the Task manager is not blocked by this ransomware, you can launch it and look for a suspicious process. But you can also terminate it by deleting its Windows Registry entry. Then, you can remove the folders and files this threat creates on your system. As a matter of fact, it is possible that the folder name is different depending on the version of this ransomware. Please follow our instructions below if you are ready to manually erase this infection from your PC. In order to avoid similar malware infections it would be important for you to consider installing a reliable anti-malware application. If you have a problem with the removal of Payms Ransomware, please let us know by leaving a comment below.

Remove Payms Ransomware from Windows

  1. Press Win+R and type in regedit. Click OK.
  2. Locate the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key and look for a suspicious value name that has “%LOCALAPPDATA%” or “%Appdata%” as value data and delete it.
  3. Exit the editor.
  4. Press Win+E.
  5. Find the suspicious folder of this infection (the same name as in the registry value name) in the “%LOCALAPPDATA%” and “%Appdata%” directories and delete it.
  6. Bin the “Payment_Instructions.txt” from your desktop.
  7. Empty your Recycle Bin.
  8. Restart your computer.
100% FREE spyware scan and
tested removal of Payms Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *