PadCrypt targets Windows OS and spreads through spam email containing an executable script disguised as a PDF file. Once installed, PadCrypt encrypts all data that resides in the targeted folders as well as on local drives and changes their file extensions to .ETC or .padcrypt. It also deletes Shadow Volume Copies to prevent file recovery. PadCrypt is the first variant that comes with its own “Live Chat Support” feature for victims to contact the ransomware developer directly in order to navigate through the ransom payment process. In some instances, the developer may use it to initiate contact with the victim. It downloads its own uninstaller that can remove the malware but will not decrypt the encrypted files.
UPDATE 11/14/2016: PadCrypt 3.0 has been spotted in the wild and it includes an affiliate program to encourage distribution. It has also been observed masquerading as a Visa Credit Card Generator and stealing server account information from the open-source FTP software, FileZilla.
UPDATE 5/9/2017: Security researchers at Bleeping Computer discovered a new NemeS1S RaaS portal used to distribute PadCrypt. It appears that access is limited to trusted distributors as newly registered users are not currently able to buy a license and join the affiliate program which may keep the number of PadCrypt infections low.
- Bleeping Computer provides more information about PadCrypt, available here.
- The NJCCIC is not aware of any decryption tools available for PadCrypt.