Payfast Ransomware

Payfast Ransomware

Payfast is a Ransomware virus that encrypts valuable user files and changes their extensions to .payfast, thus making them inaccessible without the private decryption key. Payfast then generates a ransom note on the infected computer in which it demands Bitcoin ransom.

In addition to appending the .payfast extension to the file it encrypts, the Payfast Ransomware also adds a unique user ID that the virus has assigned to the victim next to the extension. In other words, if a file, in its regular unencrypted state is named example.txt, once encrypted by Payfast, the file’s name would change to example.payfast511.331-576-670, where the unique user ID is 511.331-576-670. If you have any files with this or another similar extension, this means they’ve been encrypted and you’d be unable to access them through conventional means.

In many cases, unfortunately, in order to access a ransomware-encrypted file, one would need the decryption key that’s held by the hackers and wouldn’t be able to open those files in any other way. Despite this, there are certain alternatives that you can try, which is also the course of action that we recommend. Paying the ransom is obviously also an option, going for it could have particularly unpleasant consequences – you could end up wasting any money you send to the hackers without ever getting your files back (which could be for a number of reasons and not only the hackers’ unwillingness to keep their promise of providing you with the decryption key).

The Payfast Virus

The Payfast Virus is an advanced malware program categorized as Ransomware due to its ability to silently enter the system and encrypt the user’s most valuable files. Once Payfast encrypts the targeted data, it creates a notepad file labeled!!! ALL YOUR FILES ARE ENCRYPTED !!!.txt.

This file serves the purpose of informing the victim about the requested ransom sum, the methods of paying it, as well as the consequences that could occur should the user refuse to send the money or try to unlock the sealed files on their own.

The ransom that the hackers behind Payfast demand is in the Bitcoin currency because transactions in Bitcoin are extremely difficult to trace and so this ensures that the hackers can stay anonymous. The amount of Bitcoins demanded by the blackmailers is 0.013 BTC. According to the ransom note, this BTC amount is worth $500 when converted. At the time of writing this article, 0.013 BTC is worth around $650.

According to the note shown by the Ransomware, if the user attempts to unlock the files using third-party decryption software and/or rename the files, this could lead to permanent loss of data.

The note also mentions the possibility of test decryption. The user is allowed to send to the hackers’ email one “not valuable” file that they would decrypt and send back. This is in order to prove that the decryptor that the criminals possess is indeed capable of releasing the locked data. Of course, this still doesn’t give any guarantee that if you pay the ransom, you’d receive the decryptor key.

If you have been attacked by Payfast and some of your important files have been encrypted by it, our advice is to not pay the ransom. Search your other devices and the cloud services that you use for any backups from which you can restore your encrypted data. Also, though there could be some risks associated with trying to decrypt the files on your own using third-party decryptors, it’s also worth pointing out that it’s in the hacker’s interests to give you such a warning in their note. If there’s a free decryptor available for Payfast and it’s from a reputed developer, we suggest using it to restore your files.

The only scenario in which we believe paying the ransom could be a viable (last resort) option is if the files that the virus has locked are so important that they’d be worth the risk of wasting $650 (or more) of your money.

Regardless of what option you choose for file recovery, we still strongly advise you to make the virus removal a top priority for yourself. If you don’t delete it ASAP, you may end up losing even more files to its encryption. Removal instructions for Payfast are available below.


Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
Detection Tool

How to remove Payfast Ransomware

To remove the Payfast Ransomware, be sure to carefully perform each of these steps:

  1. Explore your computer for recently installed software that could have secretly infected you with Payfast and delete it.
  2. Check the list of processes in the Task Manager and if you find a rogue process(es) there, quit it and delete the files related to it.
  3. Reverse any changes made by the Ransomware to your Hosts file and Startup items list.
  4. To remove the Payfast Ransomware, lastly, make sure to clean your system’s Registry.

If you correctly complete these four steps, the Ransomware should be removed from your PC. Before you try to perform them, however, be sure to read the detailed instructions about the steps that you will find below.

Detailed Payfast removal

Step 1

Open Start Menu, type Programs and Features, press Enter, and search in the list that shows up for a program that could be linked to Payfast. Obviously, you will likely not see a Payfast entry in there. However, if you remember recently downloading a sketchy program after which the Ransomware infected you or if there’s a recently installed program in the list that seems suspicious, you should probably uninstall it. Right-click the suspicious program, select Uninstall, and complete the steps in the uninstaller without leaving any data from that program on your computer.

Step 2


Press the Ctrl + Shift + Esc combination from your keyboard and check the Processes tab. If the Ransomware process is still active, it will probably have large RAM memory and CPU usage, so focus on the more resource-intensive items shown there. If there’s a questionable-looking process, try to figure out if it’s from the malware in the following two ways:

Google (look-up) the process you suspect – in case it’s truly a threat, you should quickly come across posts where this is confirmed. Just make sure that you get your information from reputable sources.

Right-click on the process > Open File Location, and then scan the files in that folder for malware. The professional free online scanner below can help you with that. If malware is found in the folder, this means the process is also malicious.

Any malware processes you may find in the Task Manager must be stopped and their location folders must be erased from the PC.

Step 3

You may have stopped the Ransomware process/processes, but Payfast may re-launch it/them. The way you can prevent this from taking place is by booting into Safe Mode, which is what you must do now.

Step 4

Search for and go to Folder Options through the Start Menu, then go to View, check the Show hidden files option, and click OK.

Next, type %AppData% in the Start Menu, press Enter, and when the AppData folder opens, sort the files in it by date and delete the ones created on and after the date Payfast infected you. Next, do the same thing with these next three folders:

  • %LocalAppData%
  • %ProgramData%
  • %WinDir%

Finally, go to the %Temp% folder in the same way, and delete everything that’s in it.

Step 5

Using the Start Menu, search for and go to msconfig, which will open the System Configuration settings. Click on the Startup tab, then look for items you are not familiar with and ones that don’t have a known manufacturer (see the manufacturer column), untick them, and click on OK.

Next, visit the C:/Windows/System32/drivers/etc folder, where you will see a file named Hosts. Double-click the file, click Notepad, and look for strange IP addresses at the bottom of the text. If such IPs are present, put them in the comments section – we will soon review them and tell you whether you must delete them from Hosts.

Step 6

Open the regedit.exe app by searching for it in the Start Menu and hitting Enter. If Windows requires your Admin approval, click Yes to continue.

When you see the Registry Editor window on your screen, go to Edit > Find, type Payfast, and hit Enter. If the search finds a related item, you must delete it and search again. Make sure that all items from Payfast are deleted from your Registry.

Finally, find these Registry directories in the left panel and open them:

  • HKEY_CURRENT_USER > Software
  • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
  • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

Search in them for files with weird names – for instance, ones that look like this “903uedj84309eik09u4fj9023rut49f”, share their names in the comments, and we will inform you if you’d need to delete the items in question.

Step 7

If everything else has failed and you still think Payfast is on the computer, we suggest using the advanced malware-removal tool from this page. A potential reason why you’ve been unable to manually deal with the virus is that another infection such as a Trojan Horse may be obstructing your attempts to remove Payfast. However, if you use the tool we’ve posted in the guide, it will simultaneously delete all instances of malware from your computer alongside their files and settings.

Once the Ransomware has been taken care of (use our free scanner to test any remaining suspicious files on your computer) our advice is to carefully read the information provided in our How to Decrypt Ransomware guide, where you will learn about the most effective alternative data-recovery solutions.


About the author

Brandon Skies

Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

Leave a Comment

We are here to help! Use SpyHunter to remove malware in under 15 minutes.

Not Your OS? Download for Windows® and Mac®.

* See Free Trial offer details and alternative Free offer here.

** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

Spyware Helpdesk 1