.Plam Virus


.Plam

.Plam is a type of virus program that can blackmail the owners of the computers it infects by blocking their access to some important files. .Plam targets Windows systems and it encrypts the files located on their hard drives in order to make them unusable.

.Plam

The .Plam Virus will leave this message in a _readme.txt file

A file encrypted by this virus can’t be accessed via regular means. No conventional program can open encrypted data because the data’s code has been rearranged by the encryption algorithm and can no longer be read by the programs users may use to access the locked files.

The method of data encryption is actually not an inherently harmful process. It originates as an advanced technique used for securing highly important data by making it unavailable to anyone who’s not authorized to have access to it. However, the creators of the first Ransomware cryptoviruses have figured out a way to turn this otherwise highly effective and useful process known as encryption against users. Nowadays, Ransomware viruses are everywhere and each week dozens of new variants are created.

The .Plam virus

The .Plam virus is one of the latest Ransomware variants, that silently infects users’ computers to lock up the files stored on them. The .Plam virus is typically undetectable while it is performing its encryption process because it rarely shows any infection symptoms.

Most users only come to learn about the attack on their files once their data has already been sealed and can no longer be accessed without the corresponding decryption key. Each time a Ransomware virus like .Plam, .Pola and Masodas attacks a given computer and begins encrypting the files on that computer, the malware program simultaneously generates a key that can only be used to unlock the files on that specific machine. This key is stored on the computer of the hackers and is offered to the user against a payment. This ransom payment demanded by the hackers in exchange for the decryption key is the reason this type of viruses is called Ransomware.

The .Plam file decryption

The .Plam file decryption is the action of reversing the encryption of the locked files by applying the corresponding key. The .Plam file decryption cannot be completed using the key for another computer or by simply removing the Ransomware virus.

.Plam File

.Plam will encrypt your files and render them unusable.

This means that even if you eliminate the infection, you will still have to find a way to deal with the lockdown on your files. If the encrypted files are not important or if you have backups of them, removing the virus is enough and you won’t need to worry about paying the ransom or finding an alternative recovery option. If, however, there are important files that have been locked and there aren’t any backups of them, we suggest that you first try our removal guide and the alternative file restoration options explained in it instead of directly going for the ransom payment. It is unclear if you could trust the hackers and if they’d actually give you the correct (or any) key after you pay them. Therefore, it is highly advisable to leave the ransom as your last resort and only if you truly cannot afford to temporarily lose access to the encrypted data.

SUMMARY:

Name .Plam
Type Ransomware
Data Recovery Tool Not Available
Detection Tool

Remove .Plam Virus

Step1

The first thing to do when you think/know there is a Ransomware virus operating in your system is to find its process(s) and quit it as well as find the file location of the virus and delete everything that’s in there. The way you could do that is by first starting the Task Manager and looking at the processes listed in its Processes tab. You can evoke the Task Manager by pressing together the Ctrl + Shift + Esc buttons. Once the Manager opens, select Processes and examine the entries listed there. It may be difficult to spot the one that’s coming from the Ransomware but you must find it. Normally, the Ransomware process would consume large portions of your PC’s RAM and CPU and will probably have a strange and unfamiliar way that doesn’t seem to relate to any of the programs that you have on your computer. Of course, you are not expected to know the names of all processes in your system so, if you don’t recognize the name of any particular process and think that it may be the one run by the Ransomware, look up that process’ name on the Internet and the results would most likely tell you if that is the one you’ve been looking for.

malware-start-taskbar

To further confirm that the process you’ve singled out is the one behind the Ransomware, right-click on it from the Task Manager and select Open file location. Scan all the files from the file location of the process with your computer’s antivirus and/or with the powerful online scanner that we have posted below.

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Loading
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    Obviously, if malicious code gets detected inside any of the scanned files, you should go to the suspicious process in the Task Manager and kill it by right-clicking on it and selecting the End process tree option.

    After that, return to the process’ file location and delete everything that’s in there and then delete the folder itself. If you are not permitted to delete one or more of the files in that folder, leave them for now and only delete the rest. You will come back to this folder to delete the remaining files after you finish the rest of this guide.

    Step2

    WARNING! READ CAREFULLY BEFORE PROCEEDING!

    The next step will involve booting your PC into Safe Mode. Once in Safe Mode, the Ransomware will no longer be allowed to run any of its processes in case you haven’t been able to end all of them. If you have never accessed Safe Mode on your PC before, this guide on how to boot into Safe Mode for all Windows versions will provide you with the necessary instructions.


    Step3

    Once your computer restarts and you are now in Safe Mode, go to the System Configuration app by typing “system configuration” in the Start Menu and selecting the first item from the results. Now select the Startup section and you will be shown the different apps that start automatically when Windows loads. If any of those seem like they could be linked to the Ransomware, you must disable them by removing the tick that’s in front of them. Also, if there are any startup items you do not recognize and/or that are listed as having an “Unknown” manufacturer, disable those well.

    msconfig_opt

    Finally, to save the changes you’ve made to the Startup settings, click on Ok.

    Step4

    Next, you must check the Hosts file of the PC – you can open that file by copy-pasting the following line in the Start Menu and then hitting Enter: notepad %windir%/system32/Drivers/etc/hosts.

    Once you are in the Hosts file, you must see if there are any odd-looking IP addresses or other lines of text listed below “Localhost” (towards the bottom of the notepad file). If there are such IPs/lines of text, you must copy them and send them to us via the comments section on this page. We will have a look at them to determine if they are linked to the Ransomware, and we will tell you if you need to do anything about them.

    hosts_opt (1)

    If we conclude that what you have sent us must not be present in your Hosts file, you will have to delete that text from the file and then click on Edit > Save to apply the changes.

    Step5

    Step 5 involves going to the Registry of your PC, finding .Plam-related items, and deleting them. However, it may not always be obvious which items are related to the Ransomware and so it may be difficult to tell what to delete. The problem is that if you delete the wrong thing, this could cause serious issues to your system. Because of this, when in doubt, always consult us via the comments section below before deleting something from your PC’s Registry.

    Now, the quickest way to access the Registry Editor is to type regedit.exe in the Start Menu and to press the Enter key. Before the Registry Editor opens, you will have to provide your Admin confirmation so click on yes when asked if you are sure you want to allow the Registry Editor app to make changes in the computer. This will open the Editor and then you will have to select the Edit menu and click on Find. In the small search box, you must type .Plam and hit Enter/click on the Find Next button. If an item with that name is found, select that item, press Del, and confirm the action. After that, search for .Plam again, delete the next found item, and keep repeating this process until nothing more with the name .Plam comes up in the search results.

    The final thing you must do to delete .Plam is to visit these next Registry Editor directories and look in them for folders with unusually long names that seem to comprise randomly arranged letters and/or numbers. In most cases, you would know such a folder when you see it. However, if you are not sure if a particular folder located in these directories is one that you must delete, we once again remind you to first ask us in the comments about it. Now, here are the Registry directories that you must examine:

    • HKEY_CURRENT_USER > Software
    • HKEY_CURRENT_USER > Software > Microsoft > Windows > CurrentVersion > Run
    • HKEY_CURRENT_USER > Software > Microsoft > Internet Explorer > Main

    Step6

    Finally, copy each of the lines we have posted below into the Start Menu and hit the Enter key after each one to go to the folders that they correspond to.

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Sort the files in each of the listed folders by date so that the most recent entries are shown at the top and then delete all files created from the moment just before .Plam attacked you to the current moment. In the folder labeled Temp, you should delete all files so simply press Ctrl + A to highlight all of the files, press Del, and confirm the action by clicking on Yes.

    Once you are done with this final step, do not forget to delete the files from the file location of the Ransomware’s process that you weren’t allowed to remove earlier (Step 1) and then delete the folder in which they were contained.

    How to Decrypt .Plam files

    Unfortunately, simply removing the Ransomware will not free your files from its encryption. However, you must make sure that the virus is no longer on your computer before you attempt to use any of the alternative file-recovery suggestions that we will show you in a moment. Now that you have hopefully eliminated .Plam, we will show you another guide where we have compiled several different data-restoration methods that may allow you to bring back some of the encrypted files without paying anything to the hackers behind .Plam. If you want to take a look and give a try to our How to Decrypt Ransomware Guide, follow the provided link and you will be redirected to it.

    Final Notes

    If you suspect (or know) that the .Plam virus is still in the computer even after you have completed every step from this guide, we strongly recommend using the advanced and powerful anti-malware tool that you can find linked on the current page as it can quickly take care of any threat with minimal interaction from your side. Also, do not forget to use our professional online malware scanner to test any remaining files you think may be linked to the virus. Finally, know that our comments section is always open for all our readers who need further assistance with the removal of the malicious .Plam virus.

    blank

    About the author

    blank

    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment