PayDay Ransomware

Posted: December 13, 2016

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	279

First Seen:	December 13, 2016
Last Seen:	October 7, 2019
OS(es) Affected:	Windows

The PayDay Ransomware is a Trojan using encryption to prevent you from opening your files, a state that persists until you can decrypt them or retrieve their spare copies through other means. Potential symptoms can include changes to the names of any encrypted data along with the addition of new Web pages (demands for ransom payments) on your desktop. All the usual anti-malware protocols should continue being effective at stopping the PayDay Ransomware and removing the threat before any file damage can occur.

All the Sex Appeal of Handing Con Artists Your Cash

Although the year is drawing to a close, the reign of pseudo-open source threats like Hidden Tear has yet to end, with con artists more than happy to continue using its code to create new Trojans. The latest byproduct of these efforts is the PayDay Ransomware. Malware experts added the threat to the small collection of file-encoding Trojans currently active in Brazil, a group also including the Nmoreira Ransomware and the Crypter-2016 Ransomware.

Although that nation is more often known for being victimized by finance-hijacking spyware, the PayDay Ransomware is a traditional encryptor and uses AES ciphers to modify the infected PC's media. Various formats of images, audio, documents, and other media are white-listed for possible encoding, a process blocking them from opening afterward. Although the PayDay Ransomware claims to use AES-256, most threats of its category referencing particular encoding methods tend to misrepresent them (to make the encryption seem exceptionally difficult to crack).

Also noteworthy is the PayDay Ransomware's extension that, as per most threats of the same classification, it adds to the end of the filenames. Besides being in English, the '.sexy' extension is not in use in any other Trojan families with file-encoding payloads.

The PayDay Ransomware places an HTML note on your desktop, which malware experts can confirm as being generated dynamically, as opposed to a link to a live page. The Portuguese-language note offers an explanation of the attack, along with giving help for restoring your data at the cost of a Bitcoin ransom (950 Brazilian Real, or 285 in USD). Other than the language and some new choices in formatting (such as new font colors), malware experts find that this message conforms to previous templates they see in old file-encryption Trojans' campaigns.

Denying Trojan Authors Their Unearned PayDay

Malware experts anticipate the PayDay Ransomware's infection vectors to be focusing on personal computer users through such methods as bundling with pirated software. Its formatting and minor asking price for any decryption assistance also makes it unlikely, but not impossible, that any business organizations are intended targets. Because of its using code borrowed from prior, thoroughly-examined threats, many brands of anti-malware software do have accurate detection rates against the PayDay Ransomware, although almost half of most major brands do still fail at identifying it.

Unless cyber security researchers release a decryption tool customized for the PayDay Ransomware, backing up your content routinely is the most reliable means of avoiding any need to recover your files by paying the ransom. Previously-released Hidden Tear decryption software also can offer a less surefire way of recovering the lost content. Victims should remember that renaming the files or removing the PayDay Ransomware's extension has no impact on the actual encryption, which will continue blocking the data, regardless of its name.

As different regional threat actors adjust to different means of profiteering, PC users in different nations will have to monitor their systems for security flaws. At worst, while most anti-malware products should find deleting the PayDay Ransomware a simple task, brushes with this threat can instigate other problems that are impossible to undo.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows media player\wmphostk.exe

File name: wmphostk.exe
Size: 197.12 KB (197120 bytes)
MD5: 941fe30251abc09b0c9384f319bd635e
Detection count: 183
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\windows media player\wmphostk.exe
Group: Malware file
Last Updated: June 26, 2020

c:\Users\<username>\appdata\local\temp\nsis.exe

File name: nsis.exe
Size: 1.21 MB (1210430 bytes)
MD5: c8abe202c373acfdf8aef1ed7952e109
Detection count: 73
File type: Executable File
Mime Type: unknown/exe
Path: c:\Users\<username>\appdata\local\temp
Group: Malware file
Last Updated: February 4, 2019