How To Remove PadCrypt Ransomware And Recover Files (All Versions)

PadCrypt ransomware appeared more than a year ago but has been constantly evolving since then. Many updates were made and it still remains active.

The first versions changed encrypted files’ extensions to .enc or .etc while the newest one changes them to .padcrypt. The files become unopenable and the victims are redirected to a payment website where they can purchase a decryption key in exchange for BitCoin currency. The website has a live support chat and detailed information on how to make the payment.

The virus also places several .html and .txt ransom notes and changes the desktop background to a red wallpaper with a warning that your files have been encrypted.

Despite the promises to provide you with a decryption software after you make a payment, we would not recommend paying the criminals. There is no guarantee that they will not ignore you or provide a working decryption tool. Also, there is a risk of getting additional infections in case you follow their instructions.

You should remove this ransomware yourself and use alternative file recovery methods. Unfortunately, there is no official decrypter available for PadCrypt ransomware at the moment. However, we suggest trying other ways of retrieving your files.

Start with using the automatic tool below to eliminate the threat first. It is recommended over the manual method since it will not only remove the virus but also protect your computer in the future.

Recommended Method: Download PadCrypt Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is PadCrypt ransomware?

This ransomware virus differs from others due to its frequent updates. It first appeared more than a year ago but has been updated several times and changed its looks and operation methods. It is also one of the few viruses that have a live support chat in on their payment website.

PadCrypt spreads through spam email, infected websites and other similar ways common to most of today’s ransomware. It is also available as ransom as a service (RaaS) meaning that everybody can create a copy and distribute it using any means they could think of. The creators share profits with such distributors in hope that PadCrypt will infect as many computers as possible.

Once you launch an infected file PadCrypt activates immediately and starts encrypting your personal data. When finished, it usually changes their extensions to .padcrypt and their names to random strings (e.g. “sample.docx” becomes “FQ1CAV12EYB3DC.padcrypt“. Previous versions also used .enc and .etc extensions.

There have been many updates since the launch of this ransomware. Here is a short list of major PadCrypt updates (newest at the top):

  • April 5, 2017. Version 3.5.0. Website is updated and new ransom notes are displayed.
  • March 23, 2017. Version 3.4.5.
  • March 9, 2017. Version 3.4.0 launched. Pretends to be a Windows driver service.
  • February 28, 2017. Reviews section added to the payment website.
  • February 7, 2017. Ransomware as a service function is launched and called NemeS1S.
  • July 8, 2016. The .padcrypt extension is introduced. The lock screen shows date 01/01/1970. 0.8 BTC is demanded in order to retrieve files.
  • February 24, 2016. Version 2.2.10 is launched, Live Chat is implemented. Includes a function which tries to avoid deploying the ransomware on test computers and virtual machines.

Current ransom notes are called +WANT_YOUR_FILES_BACK.html, +RESTORE_FILES_NOW.html and +WANT_YOUR_FILES_BACK.txt. They are placed in the same folders where encrypted files are located. Here is the text included in the ransom notes:

Don't understand this information? use
!! Your important files have been encrypted with millitary-level encryption !!
This is an important message you should not ignore.
If you're reading this message all files on your hard drive, and connected drives, 
were successfully encrypted by PadCrypt ransomware
using millitary-level encryption.
File encryption was produced using a unique 256-bit key generated specifically for this machine. 
Encryption is a way of securing data and requires a
special key to decipher.
We've encrypted all your files with AES-256 and RSA-1024 ciphers using a secure encryption key. 
You can personally check every file on your computer and verify this.
Due to the the strength of our encryption keys, not even anti-virus softwares can recover your files. 
Searching the internet for solutions is a complete waste of time.

Another text reads as follows:

Why am I seeing this message?
If you are reading this message then the files on this computer have been encrypted 
and PadCrypt has successfully been removed from the system.

Why do my files have strange names?
That’s normal because your files have successfully been encrypted by PadCrypt 3.0 ransomware. 
This includes all important files on your computer such as; photos, documents, and videos present on your computer.

What is encryption?
File encryption was produced using a unique 256-bit key generated specifically for this machine. 
Encryption is a way of securing data and requires a special key to decipher.

The ransom notes also include your “machine ID” which is required to access the payment site. You need to use TOR browser in order to do so or follow links. The payment website instructs you to purchase PadCrypt Decryption Software in order to unlock your files, shows how much time is left and allows you to chat with support.

Currently known web and email addresses related to this ransomware:

Even if you pay the required ransom there is no guarantee that the criminals will actually provide you with a working decryption tool. There is also a risk of getting additional backdoors or infections if you follow their instructions. Therefore, we strongly recommend removing the threat by yourself and trying alternative file recovery methods listed on this page.

We recommend using the automatic tool provided above as it will not only completely remove the virus but also protect your system in the future. Following the manual guide requires Windows operating system knowledge and does not guarantee security afterwards.

Here are some screenshots of PadCrypt ransomware:


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system, since PadCrypt is a complicated and dangerous ransomware.

Do not skip any steps as otherwise the threat might come back again and cause more damage.

Step 1:

Find any processes that might be associated with the PadCrypt ransomware virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.


Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Start by scanning these commonly infected processes:


Also look for other randomly named .exe files. If you find such file mark down the name as you will need to search for it in Windows Registry later.

Go to and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all suspicious processes.

Step 2:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “ localhost” entry. Here is an example:

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up Windows temporary files as there are usually several PadCrypt ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 5:

Check for any recent changes in all the other important system files.

PadCrypt usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

The ransomware usually creates a folder named PadCrypt so it is quite easy to detect it and delete its contents. You can back up the contents on an external media in case you will need it later.

Search for any other recent changes (by “Date Modified”) as well. Only if you see that a file has just been changed scan it with Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories while being very careful:


Remember that these directories contain many important system files! Be very careful!

Step 6:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:


Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Search for the ransomware entries by pressing CTRL + F and entering the file extension name in the search field. For example:


Click Find Next.

Repeat search and delete all registry entries associated with the virus.


Step 7:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and, if found, delete them (some of them might have been already deleted during the earlier steps):


 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for PadCrypt ransomware file decrypter here: List of currently available decrypters. Currently it is not decryptable but virus researchers might develop a tool in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:


Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:


Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a .padcrypt decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the PadCrypt ransomware virus you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.

Leave a Reply

Your email address will not be published. Required fields are marked *

Begin typing your search above and press return to search. Press Esc to cancel.