{
	"id": "e4f06d00-83fb-470a-8964-6d1f7054dd15",
	"created_at": "2026-04-06T01:32:08.718599Z",
	"updated_at": "2026-04-10T03:21:53.619562Z",
	"deleted_at": null,
	"sha1_hash": "58fb407d98e2bc2f3b4a413ef50328e11c9279bf",
	"title": "PadCrypt: The first ransomware with Live Support Chat and an Uninstaller",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1493332,
	"plain_text": "PadCrypt: The first ransomware with Live Support Chat and an\r\nUninstaller\r\nBy Lawrence Abrams\r\nPublished: 2016-02-14 · Archived: 2026-04-06 01:05:07 UTC\r\nA new ransomware was discovered by @abuse.ch and further analyzed by MalwareHunterTeam called PadCrypt that offers\r\nfor the first time a live support chat feature and an uninstaller for its victims. CryptoWall was the first ransomware to\r\nprovide customer support on their payment sites, but PadCrypt's use of live chat allows victims to interact with malware\r\ndevelopers in real time. A feature like this could potentially increase the amount of payments as the victim can receive\r\n\"support\" and be guided on the confusing process of making a payment.\r\nPadCrypt offers a Live Support Chat Feature\r\nWith the release of PadCrypt, customer support is taken to a new level by the malware developers offering live chat.  In the\r\nmain screen for the PadCrypt ransomware there is a link called Live Chat as shown in the image below.\r\nPadCrypt Ransomware Screen\r\nIf a user clicks on the Live Chat option, it will open up another screen that allows the victim to send a message to the\r\ndevelopers. When the developers respond, their reply will be shown in the same screen.\r\nhttps://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nPage 1 of 7\n\nLive Chat feature of PadCrypt\r\nAt this time, the Command \u0026 Control servers for PadCrypt are offline, so the ransomware will not actually encrypt anything\r\neven though it shows you the ransomware screen. Furthermore, as the live support chat requires an active C2 server, the live\r\nchat functionality is broken as well.\r\nhttps://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nPage 2 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nPage 3 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nPadCrypt makes it easy to remove the infection\r\nFor those who wish to remove the infection, PadCrypt makes it easy by also downloading and installing an uninstaller. We\r\nrecently have seen a ransomware that allows you to enable and disable the autorun for it, but this is the first time we have\r\nseen a ransomware that provides an uninstall program as well.  When PadCrypt is installed, an uninstaller will also be\r\ndownloaded and installed at %AppData%\\PadCrypt\\unistl.exe.   Once the uninstaller is executed, it will remove all\r\nransom notes and files associated with the PadCrypt infection. Unfortunately, all encrypted files will remain.\r\nRansomware developers love CryptoWall\r\nThere is something about CryptoWall that other ransomware developers just love to imitate it.  This is also the case with\r\nPadCrypt as the executable has numerous references to CryptoWall in it.  For example, the PDB for the PadCrypt executable\r\nis:\r\nC:\\Users\\user\\Documents\\Visual Studio 2013\\Projects\\Cryptowall 2.0\\Cryptowall\\bin\\Debug\\Obfuscated\\PadCrypt.pdb\r\nThere are also numerous references to CryptoWall within the C# project for this ransomware. For example, one of the\r\nnamespaces for the ransomware is called Cryptowall.\r\nCryptoWall Namespace\r\nPadCrypt Encryption Process\r\nUpdate on 2/15/16 with more information about the encryption process. Thx MalwareHunterTeam.\r\nPadCrypt is distributed via SPAM that contains a link to a zip archive that contains what appears to be a PDF file with a\r\nname like DPD_11394029384.pdf.scr. This PDF file, though, is actually an executable renamed to have the .scr .extension\r\nthat when executed downloads the package.pdcr and unistl.pdcr files from the now disabled Command \u0026 Control servers.\r\n The known C2 servers used by this ransomware include annaflowersweb.com, subzone3.2fh.co, and cloudnet.online. The\r\npackage.pdcr is the PadCrypt executable and the uninstl.pdcr is the uninstaller. Both of these files will be stored in the\r\n%AppData%\\PadCrypt folder.\r\nWhen PadCrypt.exe encrypts files, it will encrypt any data files, regardless of extension, that are in the targeted folders.\r\nWhen encrypting a victim's files it starts by scanning and encrypting the following folders.\r\nC:\\Users\\[login_name]\\Downloads, C:\\Users\\[login_name]\\Documents, C:\\Users\\[login_name]\\Pictures, and C:\\Users\\[login_nam\r\nWhen it has finished encrypting those folders it will then scan the C: drive and encrypt all files that are not located in the\r\nfollowing folders or the contain the strings ProgramData, PerfLogs, Config.Msi, and $Recyle.Bin.\r\nhttps://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nPage 4 of 7\n\nC:\\Users, C:\\NVIDIA, C:\\Intel, C:\\Documents and Settings, C:\\Windows, C:\\Program Files, C:\\Program Files (x86), C:\\System\r\nFinally, PadCrypt will enumerate all local drives and encrypt any files that are detected.\r\nDuring the encryption process, PadCrypt will also delete the Shadow Volume Copies on the computer by executing the\r\nfollowing command:\r\nvssadmin delete shadows /for=z: /all /quiet\r\nWhen it has finished encrypting the data it will create a IMPORTANT READ ME.txt file on the desktop that contains\r\nransom instructions as shown below.\r\nIMPORTANT READ ME.txt\r\nFinally, it will show the ransom screen as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nPage 5 of 7\n\nPadCrypt Ransomware Screen\r\nThis ransom screen will provide instructions on how to make .8 bitcoin payment or a ~$350 payment via PaySafeCard or\r\nUkash. The instructions also state that you  have 96 hours to make payment or the key will be destroyed. \r\nAt this time, it is currently unknown if there is a way to decrypt these files for free, but if we learn anything further we will\r\nbe sure to post it.\r\nPadCrypt goes retro with its decrypter\r\nPadCrypt is the ransomware with many surprises including its colorful retro decryption program.  When run, the\r\ndecrypter will import a list of encrypted files from %AppData%\\PadCrypt\\Files.txt.\r\nPadCrypt Decrypter\r\nWhen a victim types start and press enter, the decrypter will look for the decryption key in the\r\n%AppData%\\PadCrypt\\data.txt file. If one is detected it will decrypt any encrypted files listed in the files.txt file.\r\nFiles associated with PadCrypt\r\nhttps://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nPage 6 of 7\n\n%Desktop%\\IMPORTANT READ ME.txt\r\n%AppData%\\PadCrypt\\unistl.exe\r\n%AppData%\\PadCrypt\\decrypted_files.dat\r\n%AppData%\\PadCrypt\\File Decrypt Help.html\r\n%AppData%\\PadCrypt\\PadCrypt.exe\r\n%AppData%\\PadCrypt\\Files.txt\r\nRegistry entries associated with PadCrypt\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \"Microsoft Corp\" = \"%AppData%\\PadCrypt\\PadCrypt.exe\"\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run \"PadCrypt\" = \"%AppData%\\PadCrypt\\PadCrypt.exe\"\r\nHKEY_CURRENT_USER\\Control Panel\\Desktop \"Wallpaper\" = \"%AppData%\\PadCrypt\\Wallpaper.bmp\r\nHKEY_CURRENT_USER\\Control Panel\\Desktop \"WallpaperStyle\" = 1\r\nHKEY_CURRENT_USER\\Control Panel\\Desktop \"TileWallpaper\" = 0\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nhttps://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/"
	],
	"report_names": [
		"padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller"
	],
	"threat_actors": [],
	"ts_created_at": 1775439128,
	"ts_updated_at": 1775791313,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/58fb407d98e2bc2f3b4a413ef50328e11c9279bf.pdf",
		"text": "https://archive.orkl.eu/58fb407d98e2bc2f3b4a413ef50328e11c9279bf.txt",
		"img": "https://archive.orkl.eu/58fb407d98e2bc2f3b4a413ef50328e11c9279bf.jpg"
	}
}