PayDOS Ransomware
Posted: November 4, 2016
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 86 |
| First Seen: | November 4, 2016 |
|---|---|
| OS(es) Affected: | Windows |
The PayDOS Ransomware is a batch file-based Trojan that modifies the names of your files automatically and displays a ransom message, misrepresenting the renamed content as being encrypted. Since the PayDOS Ransomware doesn't conduct actual encoding attacks, victims can opt for several recovery methods that don't require any specialized decryption assistance. Although this is a low-level threat, other Trojans may install it, and removing the PayDOS Ransomware should include conclusive anti-malware scans of your PC to guarantee its safety.
Back to DOS with Paper-Thin Ransom Attempts
It isn't unusual for threat authors to try to convince their victims that a Trojan is more powerful than its real capabilities. This intentional misinformation often takes forms such as claiming that the Trojan uses a more advanced method of encryption than it does or warnings about time-based, file-deleting attacks (as per the Jigsaw Ransomware). In some samples, like the PayDOS Ransomware, malware experts even see Trojans claiming that they're encrypting content when they don't have any form of data-encoding functionality, at all.
Although the original installer for the PayDOS Ransomware is an executable, its body is a batch file-based script meant for DOS and Windows. When launched, the script generates Command Prompt-based instructions that modify the names of any files in various default Windows folders, such as Documents. The Trojan changes only one letter in each name's extension, making it unreadable to the associated programs temporarily. However, the PayDOS Ransomware doesn't accompany the name change with an encryption attack that would lock the user out of the file permanently.
The PayDOS Ransomware's CMD window also displays text corresponding to the usual extortion message asking for Bitcoin payment before the threat actor 'decrypts' your data. Doing so would provide no benefit; even without access to the PayDOS Ransomware's imitation decryption feature, PC users can rename their files manually, for no permanent damage to them.
Commanding Your Command Prompt to Behave
Due to a lack of contact information, current versions of the PayDOS Ransomware seem to be in mid-development. Since malware experts already see an updated version of the PayDOS Ransomware in the form of the Serpent Ransomware, the PayDOS Ransomware is likely of never having a real release against live systems. As a Trojan, its most significant potential damage lies in being able to rename required files and potentially disrupt other programs using them until you can isolate the problem and rename the extensions.
Victims also can enter the code 'AES1014DW256' (which is hard-coded, in contrast to the individualistic keys most file-encrypting Trojans require) into the Trojan's prompt interface. This password launches the PayDOS Ransomware's fake decryption feature, which gives you an automated recovery option.
The PayDOS Ransomware, like most batch script-based threats, is extremely limited in the impact of its payload. While this threat represents less of a risk than real file-encrypting Trojans like the Crysis Ransomware and the Troldesh Ransomware substantially, its unwanted presence does indicate a potential security compromise. Using anti-malware products for removing the PayDOS Ransomware is advisable to account for related issues that could let other Trojans install themselves.
As simple as the PayDOS Ransomware may be, its presence is, in some ways, a boon to the security industry. If nothing else, it offers a clear-cut example of why the victim of a Trojan attack never should take a con artist's word on what's happening.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.