Pay Ransomware Joins Lineup of Xorsits Clones


A new ransomware named simply the Pay ransomware joins the family of file-encrypting ransomware strains based on the Xorsits ransomware codebase.

The Pay ransomware will encrypt nearly all files on the victim system, including widely used media, document, database and archive file formats. Once encrypted, the files become inaccessible and the data in them - practically useless and unreadable.

When a file is encrypted by the Pay ransomware, it receives a new ".Pay" extension appended after its original one. This would make a file that was originally called "" become "" upon complete encryption.

The ransomware drops its note inside a plain text file named "HOW TO DECRYPT FILES.txt". The same text is displayed inside a pop-up window when encryption completes. The ransomware asks for just $50 in ransom payment, to be made using Bitcoin. It is worth mentioning that there is no way to know if victims would ever receive a working decryption tool even if they do pay that modest sum.

The full text of the ransom note is as follows:

Attention! All your files are encrypted!

To restore your files and access them,

Send us 50 USD worth in Bitcoin to this adress

[alphanumeric string]

(?? Bitcoin adress ??)

You have 5 attempts to enter the code.

When that number has been exceeded,

all the data irreversibly is destroyed.

Be careful when you enter the code.

As soon you send us the payment will you review the code from the qTox client that you need to download so we can send you the decryption code (Read more what the qTox client is below)

If you wanna get it touch with us can you download the open sourse project qTox and add me on this ID (You need to conntact us to get your code after the payment)


[alphanumeric string]

Obs: No antiviruses can help you here they will only remove the client that start this and delete every chance to decrypt your files, Good luck!

May 25, 2022