Home Malware Programs Browser Hijackers PayDay Ransomware

PayDay Ransomware

Posted: December 13, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 279
First Seen: December 13, 2016
Last Seen: October 7, 2019
OS(es) Affected: Windows

The PayDay Ransomware is a Trojan using encryption to prevent you from opening your files, a state that persists until you can decrypt them or retrieve their spare copies through other means. Potential symptoms can include changes to the names of any encrypted data along with the addition of new Web pages (demands for ransom payments) on your desktop. All the usual anti-malware protocols should continue being effective at stopping the PayDay Ransomware and removing the threat before any file damage can occur.

All the Sex Appeal of Handing Con Artists Your Cash

Although the year is drawing to a close, the reign of pseudo-open source threats like Hidden Tear has yet to end, with con artists more than happy to continue using its code to create new Trojans. The latest byproduct of these efforts is the PayDay Ransomware. Malware experts added the threat to the small collection of file-encoding Trojans currently active in Brazil, a group also including the Nmoreira Ransomware and the Crypter-2016 Ransomware.

Although that nation is more often known for being victimized by finance-hijacking spyware, the PayDay Ransomware is a traditional encryptor and uses AES ciphers to modify the infected PC's media. Various formats of images, audio, documents, and other media are white-listed for possible encoding, a process blocking them from opening afterward. Although the PayDay Ransomware claims to use AES-256, most threats of its category referencing particular encoding methods tend to misrepresent them (to make the encryption seem exceptionally difficult to crack).

Also noteworthy is the PayDay Ransomware's extension that, as per most threats of the same classification, it adds to the end of the filenames. Besides being in English, the '.sexy' extension is not in use in any other Trojan families with file-encoding payloads.

The PayDay Ransomware places an HTML note on your desktop, which malware experts can confirm as being generated dynamically, as opposed to a link to a live page. The Portuguese-language note offers an explanation of the attack, along with giving help for restoring your data at the cost of a Bitcoin ransom (950 Brazilian Real, or 285 in USD). Other than the language and some new choices in formatting (such as new font colors), malware experts find that this message conforms to previous templates they see in old file-encryption Trojans' campaigns.

Denying Trojan Authors Their Unearned PayDay

Malware experts anticipate the PayDay Ransomware's infection vectors to be focusing on personal computer users through such methods as bundling with pirated software. Its formatting and minor asking price for any decryption assistance also makes it unlikely, but not impossible, that any business organizations are intended targets. Because of its using code borrowed from prior, thoroughly-examined threats, many brands of anti-malware software do have accurate detection rates against the PayDay Ransomware, although almost half of most major brands do still fail at identifying it.

Unless cyber security researchers release a decryption tool customized for the PayDay Ransomware, backing up your content routinely is the most reliable means of avoiding any need to recover your files by paying the ransom. Previously-released Hidden Tear decryption software also can offer a less surefire way of recovering the lost content. Victims should remember that renaming the files or removing the PayDay Ransomware's extension has no impact on the actual encryption, which will continue blocking the data, regardless of its name.

As different regional threat actors adjust to different means of profiteering, PC users in different nations will have to monitor their systems for security flaws. At worst, while most anti-malware products should find deleting the PayDay Ransomware a simple task, brushes with this threat can instigate other problems that are impossible to undo.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows media player\wmphostk.exe File name: wmphostk.exe
Size: 197.12 KB (197120 bytes)
MD5: 941fe30251abc09b0c9384f319bd635e
Detection count: 183
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows media player\wmphostk.exe
Group: Malware file
Last Updated: June 26, 2020
c:\Users\<username>\appdata\local\temp\nsis.exe File name: nsis.exe
Size: 1.21 MB (1210430 bytes)
MD5: c8abe202c373acfdf8aef1ed7952e109
Detection count: 73
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\appdata\local\temp
Group: Malware file
Last Updated: February 4, 2019

Related Posts

Loading...