Ransomware also includes an uninstaller, out of all things. Security researchers have identified a new ransomware family that goes by the name of PadCrypt, which is unique because it provides a live support chat window for all victims, along with an uninstaller.
Detected yesterday, researchers presume that PadCrypt was created on top of an older version of the infamous CryptoWall ransomware family.
Researchers aren’t yet entirely sure how this ransomware spreads, but clues hint at the fact that it may arrive on victims’ computers via email attachments disguised as PDF files.
Once the user opens this PDF, PadCrypt goes to work, encrypting their files and deleting shadow volume data, preventing HDD recovery software from recouping copies of the original unencrypted files. By doing this, users can recover their locked files only by paying the ransom or by restoring them from an older backup, stored offline, where the ransomware can’t reach.
PadCrypt lets victims talk to the ransomware’s operators
At this point, the ransomware will also drop text and HTML files with ransom notes in every directory it locked files in, and will also show a popup window with another copy of the ransom note, which requests payment of 0.8 Bitcoin (~$320 / €285).
What’s strange about this popup window is that it includes a small link in the bottom left corner that reads “Live Chat.” Pressing this link opens a live support chat window that allows the victim to talk to PadCrypt’s operators. Currently, this feature is broken, since the PadCrypt C&C (command and control) server seems to be down.
Many versions of CryptoWall also provided live support, but their version was a Web-based chat that worked via the website where victims would go to pay the ransom. PadCrypt’s feature works directly on the user’s computer, without needing to open a browser or install Tor.
PadCrypt comes with a useless uninstaller
Another weird feature discovered in PadCrypt is the presence of an uninstaller (unistl.exe). Don’t get your hopes up because this file does not decrypt your data, but merely removes traces of the original ransomware that locked your files.
The simplest theory for the existence of this file is that PadCrypt’s author(s) may have used templates when crafting their file, and the uninstaller was generated automatically.
Currently, PadCrypt ransomware does not appear to have any encryption weaknesses, but security researchers from abuse.ch and Bleeping Computer are probing the ransomware further, hoping to discover hidden flaws.