A new version of the PadCrypt ransomware has been released that adds additional such as an updated live chat interface, a blacklist of computer names, and a new decrypter. I first discovered this sample 2 days ago and shared it on Twitter. MalwareHunterTeam then installed it and provided analysis on the new features.  The current version of PadCrypt is and unfortunately there is no way to decrypt the files for free at this time.

New PadCrypt

Improved Live Chat Support Interface

This version of PadCrypt includes an updated Live Support interface that includes commands that allow you to receive automated help on how AES encryption works, how to make a payment, and how many files were encrypted.  It is also has automated commands to display the version of PadCrypt and the machineid associated with your computer.  This machineid is the unique id that the malware developers associate with your encrypted files.

New Chat Interface
New Chat Interface

PadCrypt also now includes text that is automatically displayed to chat users when the chat window is opened. This text explains that they are now an "official PadCrypt user" and taunts the victim about how they will need to purchase the decryption key.

Auto Chat Message
Auto Chat Message

The support chat is very active with PadCrypt support personnel often initiating conversations with the victims.  It was relayed to me that one PadCrypt support person stated that they were just in charge of support and were not involved in the creation or distribution of the program. If this is true, then PadCrypt is being run as a company with different departments.

Blacklisting of known Malware Researcher's Computer Names

This version also includes blacklisting of certain computer names from being able to run PadCrypt.  If a user has a machine name that contains one of the blacklisted strings, the program will simply start and then terminate.  This is being done to make it more difficult for known malware researchers or known sandboxes. The computer name strings that are currently blacklisted are: "PLACEHOL-, "MALTEST", "TEST-PC", "BEA-CHI", "BRBRB", "VMSCAN".

You can see the source code for the computer name detection below.

Blacklisted Computer Names
Blacklisted Computer Names (Click to Enlarge)

New Decrypter Released

Last, but not least, PadCrypt updated their decrypter so that the victim's can specifically enter the Secret and IV to perform the decryption of their files.

PadCrypt Decrypter
PadCrypt Decrypter

Though this tool is more up-to-date, the retro version was definitely cooler :)