PLAM Ransomware [.plam Files] – How to Remove & Decrypt?

PLAM is a new variant of ransomware that can be infected computer together with some pirated software.

Plam Ransomware

Plam virus is a very complicated and dangerous ransomware, that can harm your system as well as your data. It can be appropriately named as DJVU/STOP ransomware infection.

The technique that is utilized by the greater part of current ransomware is quite simple, and Plam (like the whole STOP/Djvu family) utilizes this pattern, too. It generates a duplicate of every file, encrypts that duplicate byte-by-byte, and afterward eliminates the original document, swapping it with the encrypted duplicate. The encryption algorithm is AES-256, that means that there are about 2^256 separate passkeys1 – it is difficult to decrypt with some basic techniques, like brute force. You need to work with decryption tools.

GridinSoft Anti-Malware
Editor's choice
GridinSoft Anti-Malware
Manual PLAM virus removal might be a very hard or even impossible process that requires very high skills and may carry a significant risk for your system. GridinSoft Anti-Malware is a professional antivirus tool that is recommended to get rid of ransomware and other viruses.
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for GridinSoft Anti-Malware. 6 days free trial available.

You will likely never miss the moment when Plam ransomware will start its action, especially if you store a lot of data on your hard drive. Weak computer owners will definitely spot the ransomware activeness much earlier. It needs a noticeable amount of RAM/CPU for the encryption process, so if you have a cheap laptop or deeply outdated computer with HDD as a storage device, your PC will go through significant productivity loss.

Besides possible productivity plummeted, you can see an escalating amount of files with .plam extension. These files are already ciphered, and you can’t open them using any kind of program. All at once together with the appearance of the encrypted file, readme.txt files can show up. In this file, you will see the information regarding getting in touch with the ransomware creators, getting the decryption key, and also working with their own decryption app. The ransom sum generally fluctuates from $490 to $980, relying on the time gone after the file encryption activity. The suggested transaction option is the payment in Bitcoin, and thanks to the large amounts of fraud among the internet exchanging systems, you may come to be the victim of one more team of cybercriminals.

.{[EXT]} virus message
The scary alert demanding from users to pay the ransom to decrypt the compromised data contains these frustrating warnings

There are 2 kinds of keys that can possibly be utilized by ransomware. Offline keys are used in the case when the encryption process is executed when your system is not connected to the web. Such a key is much easier to decrypt because there is a limited number of offline keys. The online key, as you can guess, utilized when your personal computer is online during the encryption procedure. Online keys are stored on the remote web server, which is handled by ransomware distributors. You can find out if your documents are encrypted by online or offline key executing the following easy actions. Search in the next path with file explorer “%System Root%\SystemID\PersonalID.txt”, then search for the entries in this document that ends on “t1”. If there are some, you are lucky, considering that your data can be decrypted faster and with far less risk of failure.

Here is a details for the Plam:

Ransomware family2 DJVU/STOP3 ransomware
Extension .plam
Ransomware note _readme.txt
Ransom From $490 to $980 (in Bitcoins)
Contact [email protected], [email protected]
Symptoms Your files (photos, videos, documents) have a .plam extension and you can’t open it
Fix Tool See If Your System Has Been Affected by .plam file virus

As a result of some particular elements of encryption, you can still use a portion of your files. Plam ransomware encrypts only the initial 150KB of every file, therefore, it is possible to open documents that are much bigger than 150KB – music, video, voice notes, and so on. Such players as Winamp have the ability to start the encrypted files (but you require to take away .plam extension primarily), with the only notable consequence – the first few seconds of the recording will definitely not be accessible because this part of the file is secured.

How was I infected?

Ransomware can be injected in many ways, but there are two methods that are the most popular nowadays.

Ransomware attack scheme
Ransomware injection scheme

As it was stated, ransomware representatives are not pretty inventive in dispersing methods. The lion’s share of .plam virus infiltrations is against email spamming. A victim gets an e-mail that looks similar to a message from the parcel post company, an invoice from the vehicle lending firm, et cetera. However, the sender’s address does not look acquainted: typically, it is a group of randomly-picked numbers and letters, like “[email protected]”. Corporations normally utilize addresses that are representing their own names, so the use of such an unusual email address must raise suspicion. But, as the practical cases show, people generally do not inspect the email sender’s address, clicking on the links or opening the attached files with no doubt. Plam ransomware is concealed in this attachment, or in the file which will be downloaded after following the web link.

The second (by success) manner of ransomware distribution is trojan viruses. In the last several years, trojans turned into all-in-one viruses: one malware may be composed of spyware, backdoor, keylogger, and also downloader; the last one is used to recover the viruses if they are deleted by the user, and to download new and new malware. Ransomware can be featured in original trojan packaging or downloaded later by malware downloader. It is quite tough to predict when the ransomware will show itself.

Do not pay for Plam!

Please, try to use the available backups, or the tools offered below

There is completely no warranty that .plam malware distributors will send you the decryption key, especially if you had an extensive dialogue with them through the e-mail. Their decryption tool can additionally be the origin of extra malware. Also, finally, even when they send you the decryption key, only ransomware distributors know if it is capable of your documents decryption. And they are not ones who deserve your trust.

The main reason that paying the ransom is a bad suggestion is that the cash you sent as a ransom can be utilized for funding worrying outlaw activities. Drug dealing/making, human trafficking, murder – all these crimes are commonly funded by cybercrimes, and ransomware attacks are among them. Needless to say, there is still a large number of attacks that are commenced just for earning the revenue, nonetheless, you never have knowledge of who you are actually going to pay off the ransom.

Several additional words regarding the conversation with Plam ransomware representatives. There are a lot of situations when lasts were collecting the email addresses of their targets, and then offering this collection to the third party. The third-party might be whoever, perhaps even various other malware developers. And it is quite undesirable effect to get your email spammed, specifically after the stress made by ransomware. There is totally no warranty that you will not press on one of these attachments, again, so the bad story can repeat.

As you can see, there are a lot of factors that make paying the ransom quite a doubtful procedure. It is far more secure and also economical to make use of anti-malware software to clean off the .plam virus out of your computer, and decryption or file recovery programs to acquire your files back. You will see the guidelines for its removal right below.

A survey of organisations affected by ransomware attacks found that the average total cost of a ransomware attack for organizations that paid the ransom is almost $1.4m, while for those who didn’t give into ransom demands, the average cost is half of that, coming in at $732,000.4

How to delete Plam virus?

Besides ransomware, your computer is likely infected with other malware. GridinSoft Anti-Malware is easy-to-use and efficient tool5 that can surely wipe all malware out of your PC, and create a perfect shield that will protect your computer from further malware injections.

To get rid of PLAM malware from your computer, it is highly recommended to utilize an antivirus tool. Manual removal is likely impossible because it creates a lot of additional registry keys and has a branchy file location method. Cleaning this up by hand may cause system failure, or, possibly, partial malware clearing, so the Plam virus will have the chance to revive itself. However, maybe problematic even with anti-malware tools.

Microsoft Defender, which seems like an obvious option, is certainly capable of ransomware clearing However, in the majority of incidents Plam ransomware itself, or with the help of trojan virus that is utilized to insert the ransomware, disables the Defender through the Group Policies and Windows registry editing. Thus, it is much better to use a separate security tool that doesn’t come with such vulnerabilities. I advise you to make use of GridinSoft Anti-Malware – a user-friendly and efficient tool, that will definitely help you with ransomware elimination.

  1. Install GridinSoft Anti-Malware
  2. GridinSoft Anti-Malware installation stage 1
  3. After the app is installed, you will be offered to make a standard scan. Allow this action.
  4. GridinSoft Anti-Malware during the scan process
  5. During the scan process, you can see the detected malware, but to perform any actions against these viruses, you need to wait until the scan is over.
  6. GridinSoft Anti-Malware post-scan window
  7. Scan is finished, malware is detected. Click “Clean Now” to wipe the malware out, including Plam ransomware. In less than 30 seconds your PC will be cleaned up.

How to decrypt the .plam files?

Emsisoft Decryptor for STOP Djvu is created specially for decrypting the files, which were ciphered by Plam ransomware

After the ransomware is eliminated, you can begin the file revival. It is suggested to create a separated system back-up. In case if something wrong takes place in the process of data revival, you will be free to begin with the point prior to the recovery operation. To do the decryption and revival, we need to use Emsisoft Decryptor for STOP Djvu, and PhotoRec; both of them are cost-free.

Using Emsisoft Decryptor for STOP Djvu

  1. Download and install Emsisoft Decryptor
  2. Emsisoft Decryptor installation window
  3. After the successful setup, you will see the window where you can specify the folders where the encrypted documents are kept.
  4. Emsisoft Decryptor interface
  5. When the decryption operation is done, the program will notify you.

Use PhotoRec app to recover the original files from the disk

Ransomware encryption method allows the use of file recovery tools for getting your files back. Below, you can see the detailed instructions of this operation.

Plam ransomware encryption mechanism feature is following: it encrypts every file byte-by-byte, and then writes a document duplicate , removing (and not overriding!) the initial data. As a result, the info of the data location on the physical drive is lost, but the original data is not erased from the physical storage. The cell, or the cluster where this data was stored, can still contain this file, however, it is not shown by the file system and can be overwritten by the information that has been packed to this disk after the removal. For this reason, it is possible to recover your files by making use of special software.

PhotoRec is an open-source app, that is initially designed for file recovery from destroyed disks, or for files recovery in case if they are deleted by accident. Nevertheless, as time has passed, this program got the capability to recover the data of 400 various extensions. Therefore, it can be utilized for data retrieval after the ransomware attack.

Initially, you need to download this application. It is 100% free, however, the programmer states that there is no certainty that your data will be regained. PhotoRec is spread in a pack with another tool of the same programmer – TestDisk. The downloaded archive will have the TestDisk title, however, do not panic. PhotoRec files are right within.

To open PhotoRec, you need to find and open “qphotorec_win.exe” file. No installation is required – this program has all the files it needs inside of the archive, hence, you can fit it on your USB drive, and try to help your friend/parents/anyone who was been attacked by DJVU/STOP ransomware.

PhotoRec root directory

After the launch, you will see the screen showing you the full list of your disk spaces. However, this information is likely useless, because the required menu is placed a bit higher. Click this bar, then choose the disk which was attacked by ransomware.

PhotoRec main screen

After choosing the disk, you need to choose the destination folder for the recovered files. This menu is located at the lower part of the PhotoRec window. The best decision is to export them on a USB drive or any other type of removable disk.

Choose the destination folder in PhotoRec

Then, you need to specify the file formats. This option is located at the bottom, too. As it was mentioned, PhotoRec can recover the files of about 400 different formats.

File formats in PhotoRec

Finally, you can start files recovery by pressing the “Search” button. You will see the screen where the results of the scan and recovery are shown.

PhotoRec during the file recovery

  1. About AES-256 encryption on Wikipedia
  2. My files are encrypted by ransomware, what should I do now?
  3. About DJVU (STOP) Ransomware.
  4. ZDNet article about ransom payments
  5. Reasons why I recommend GridinSoft Anti-Malware

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button