When the PadCrypt ransomware was first discovered, the existing Command & Control servers for the ransomware were quickly shutdown.  As no new versions were released it was assumed that the developer had given up on his project. Unfortunately, it appears that PadCrypt is still alive and kicking as I discovered a new sample of the downloader last night that utilizes a new C2 server at jodielane100.com. You can see the communication between a victim and the new server below.

Fiddler showing download activity of new downloader
Fiddler showing download activity of new downloader

It also appears that the developer is using the live chat to initiate conversation with the victims rather than the other way around. The malware developer has been sending messages to the victims explaining to them that if they do not pay the ransom price will increase. Unfortunately, when chat messages are sent to the victim they are not sent again and I was unable to get a screenshot of the chat window.

The hashes for the new sample are:

MD5    2557accea9eb845043cf32e5b5c463dd
SHA-1    2ca03371ff8ac3c2d9003fec1a2a8b27894a6b0a
SHA-256    d3bc529f4603ef4ecea0aef430a6e0f1ce24a75b496694bd5a8d6186a524e8e9