PadCrypt is described as a new, unique ransomware family, which offers a live support chat window for its victims, along with an uninstaller.
The security researchers detected PadCrypt yesterday, presuming that it was developed on top of an older version of the infamous CryptoWall ransomware family.
At this point, the experts are still not sure about the exact way this ransomware spreads around, though clues hint that it may arrive on users’ computers via email attachments disguised as PDF files.
As soon as the user opens the PDF, PadCrypt starts working, encrypting their files and deleting shadow volume data, preventing HDD recovery software from recouping copies of the original unencrypted files. In this case, the only way for users to recover their locked files, is by paying the ransom or by restoring them from an older backup, stored offline, where the ransomware can’t reach.
PadCrypt will also drop text and HTML files with ransom notes in every directory it locked files in, and will show a popup window with another copy of the ransom note, which requests payment of 0.8 Bitcoin.
The most intriguing fact about this popup window is that it includes a small link in the bottom left corner which reads “Live Chat.” When the user presses this link, it opens a live support chat window letting the victim talk to PadCrypt’s operators. Presently, this feature is broken, since the PadCrypt C&C server is probably down.
Most of the CryptoWall versions also offered live support to users, however, their version was a Web-based chat working via the website where victims would go to pay the ransom. PadCrypt’s feature works directly on the user’s virtual machine, without needing to open a browser or install Tor.
An interesting feature discovered in PadCrypt is the presence of an uninstaller (unistl.exe). However, users should not get their hopes up because this file does not decrypt their data, but hardly removes traces of the original ransomware that locked their files. It looks like the creators of PadCrypt may have used templates when crafting the file, and the uninstaller was generated automatically.
Presently, it seems that PadCrypt does not have any encryption weaknesses, though the security experts continue to analyze the ransomware and hope to discover hidden flaws.