Payfornature Ransomware

What is Payfornature Ransomware?

Payfornature Ransomware might be a new variant of a similar infection called JohnyCryptor or other applications that add “” extensions on encrypted data. Our specialists at warn users that the malicious application is dangerous since it can lock not only your personal data but also program files. It is important to mention that the malware should be removed as soon as possible because if you place new files on the computer they could also be encrypted once you restart the system. Therefore, you might be unable to use the computer normally until you erase the threat. To help you with the deletion part we are adding a removal guide below that will show you how to eliminate the malicious program manually.testtesttest

Where does Payfornature Ransomware come from?

It is possible that the Payfornature Ransomware victims might have infected their computer after opening a file sent by email. Thus, it is most likely that the malware is spread with infected attachments that travel through Spam emails. The malicious file could look like an image, text document, invoice, and so on.

How does Payfornature Ransomware work?

As the infected file is executed, Payfornature Ransomware creates two copies of a malicious .exe file. One of it should be placed in the %WINDIR%\SysWOW64 directory and another one in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup location. The files should have the same title that might be from random letters and digits. Additionally, the infection should also add How to decrypt your files.txt and How to decrypt your files.jpg files in the Startup directory.

Furthermore, Payfornature Ransomware should encrypt all personal data and program files, except the ones that are in the %WINDIR% location or are signed by Microsoft. Thus, users might be unable to use some of the programs that they might have installed or purchased on their own. All locked data should have additional extensions that contain unique user ID number and email address of the malware’s creators. For example, an encrypted image could look like{}.crypt.

To decrypt, locked data users are asked to contact the infection’s developers via email. Most likely, the reply letter would demand you to pay a ransom according to the instructions in the email. At this point, we should warn you that even if you transfer the money, you cannot expect any guarantees. Usually, ransomware’s creators try to convince their victims that they will get the decryption tools, but there are always cases when users end up losing their money for nothing. That is why paying the ransom might be a bad idea.

How to erase Payfornature Ransomware?

If you want to continue using the infected computer, we advise you to delete Payfornature Ransomware immediately. After testing the threat, our researchers found out that it can encrypt new data if the user does not erase the malware. Luckily, the removal part is not that complicated, especially if you know where to look for malicious files. Mainly, you will have to get rid of two executable files that have the same random title. The instructions below will tell you their exact locations. Also, it is possible to eliminate the infection with an antimalware tool, although you would have to install it again because even if you had such a tool, its files should have been locked as well.

Remove Payfornature Ransomware

  1. Open the Explorer (Windows Key+E).
  2. Insert given directory %WINDIR\SysWOW64 and press Enter.
  3. Find a malicious executable file with a random title, right-click the file and select Delete.
  4. Find this path %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  5. Locate and delete the malicious executable file, How to decrypt your files.jpg, and How to decrypt your files.txt.
  6. Close the Explorer and empty the Recycle bin.
100% FREE spyware scan and
tested removal of Payfornature Ransomware*

Leave a Comment

Enter the numbers in the box to the right *