Plam ransomware removal

Plam ransomware is file-encrypting malware from a notorious Djvu/STOP ransomware family. It adds the .plam extension to encrypted files, hence why it’s known as Plam ransomware. It’s one of a couple of hundred ransomware versions this malware family has released.

 

Djvu/STOP malware family is notorious for releasing ransomware on a regular basis. They are all mostly identical but can be differentiated by the extensions added to encrypted files. This one adds .plam. Plam ransomware is one of the most recent releases, with Cosd, Qlkm, Pola, and Wbxd following closely behind.

As you likely already noticed, you are not able to open any files that have that extension. And you will not be able to until you use a special decryptor. But unfortunately, the only people with the decryptor are the ones operating this ransomware. They will try to sell it to you, as explained in the _readme.txt ransom note dropped in folders containing encrypted files. According to the note, depending on how quickly you contact the cyber criminals, the price for the decryptor would be different. The regular price is $980 but if you make contact within the first 72 hours, the price would become $490. Whether that is actually the case or not, there are some risks involved in paying the ransom. Keep in mind that these are cyber criminals you are dealing with, which means that they won’t necessarily feel obligated to help you. Unfortunately, many users in the past paid the ransom but did not receive anything. And even when a decryptor is sent, it doesn’t always work as it should. And it should also be mentioned that victims paying the ransom is precisely why ransomware is still such a huge issue, as the payments encourage them to continue.

If you backed up your files prior to the infection, you should have no issues with recovering files. However, before you can safely access your backup, you need to remove Plam ransomware from the computer. We certainly recommend using anti-virus software for that, as ransomware is a complex malware infection.

In case you don’t have backup, your only option may be to wait for malware researchers to develop a free decryption tool. They do release them when possible but one for Plam ransomware may take a while. There is a free Djvu/STOP ransomware decryptor that works for older Djvu versions but only for those that use offline keys to encrypt files. Unfortunately for many users, new versions, which includes Plam ransomware, use online keys for file encryption, meaning they key is different for each victim. Until those keys are released, developing a working decryptor is not possible.

How does ransomware enter a computer?

In a lot of cases, ransomware enters a computer via malspam attachments, torrents, malicious ads, fake updates, etc. Bad browsing habits are usually to blame to allowing an infection to enter. If you learn a few better habits, you should be able to avoid a lot of malware infections.

Malspam is one of the more common ways ransomware can enter. Malicious actors buy email addresses from hacker forums where they ended up after being leaked or hacked. So if your email address has ever been leaked, you probably receive malspam on a regular basis. Malspam is very rarely sophisticated, unless someone is targeted specifically. The first thing you need to check when you receive an unsolicited email with an attachment is check the sender. If the sender’s email address looks completely random but they claim to email with official business, it’s spam. Even if the email address looks legitimate, you still need to be careful. Malspam is also usually full of grammar and spelling mistakes. Furthermore, they pressure users to open the email attachments by claiming they’re some kind of important document that needs to be reviewed immediately. While you should be able to identify malspam fairly easily, we strongly recommend using anti-virus software or VirusTotal to scan all unsolicited email attachments before opening them, just to be sure.

It’s also dangerous to use torrents for pirating, as torrents for popular movies, TV series, games and software often contain malware. Torrent sites are very badly regulated, which allows them easily upload malicious content in torrents disguised as something popular. We highly recommend you do not pirate, especially using torrents, if not because it’s essentially stealing content, then because it’s dangerous for the computer.

We’d also like to stress the importance of installing updates on a regular basis. Updates patch known vulnerabilities, which could otherwise be used by malware to get into the computer. If possible, enable automatic updates.

Files currently cannot be decrypted for free

One of the first signs of this ransomware being present is a fake update window that says “Installing important updates Windows”. It’s a rather fake looking update window so you should be able to tell immediately. The window is shown to distract you from the fact that your files are being encrypted. In a coupe of minutes, it will have encrypted all your personal files, including photos, videos, and documents. You will know which files have been affected by the .plam extension added to them. For example, text.txt will become text.txt.plam. Until you use a decryptor on these files, you will not be able to open them.

All folders that have encrypted files will have a _readme.txt ransom note that explains how to obtain the decryptor. The note shows two contact email addresses helpmanager@mail.ch and helpmanager@airmail.cc, which you’re supposed to use to contact the ones operating this ransomware to get the decryptor. Whether you pay the ransom is your decision but you should keep something in mind before you consider paying. First of all, the ransomware demands $980 (or $490 if you make contact within 3 days), which is a lot of money for something you may not even get. Like we mentioned above, a lot of users have not received a decryptor after paying.

If you don’t have backup, your only option may be to back up encrypted files and wait for malware researchers to eventually release a free decryptor. While it may not happen immediately, it could be released in the future.

Plam ransomware removal

To delete Plam ransomware, you definitely need to use anti-virus software. It’s not a basic infection so you should not be trying to delete Plam ransomware manually. Once the ransomware is gone, you can access your backup and start file recovery. However, it should be mentioned that removing the ransomware does not mean files will be decrypted.