Cyber Security Center

How to delete WSHLP ransomware


WSHLP ransomware is part of the notorious Dharma ransomware family. Encrypted files will have an extension added to them, consisting of an ID and .[newhelper@cock.li].WSHLP. Users will be unable to open the encrypted files.

 

WSHLP ransomware

WSHLP ransomware is malware that encrypts files and then demands money for their decryption. It’s a dangerous piece of malware because it’s possible encrypted files are lost permanently. Users should be able to identify that they are dealing with this particular ransomware by the .[newhelper@cock.li].WSHLP extension added to encrypted files. Files with that extension will not be openable unless a special decryptor is used to decrypt them. The cyber crooks behind this ransomware will try to sell victims the decryptor, though the ransom sum is not specified in the FILES ENCRYPTED.txt ransom note.

Whatever sum cyber criminals demand, paying is never recommended. Many users in the past did not receive a decryptor or got a faulty one after paying, so it’s always a risk. Furthermore, paying also encourages cyber criminals to continue their criminals activities, as it is profitable for them. Unfortunately, the only other way to recover files is from backup. If users backed up files prior to their encryption, they can recover files without issue. However, users should first make sure to fully remove WSHLP ransomware from their computers. Otherwise, the ransomware may encrypt files in backup as well.

We should mention that malware researchers do release free decryptors but it is not a guarantee for all ransomware. Dharma ransomware decryptor is available on NoMoreRansom, and this is one of the legitimate sources for ransomware decryptors.

How does ransomware enter a computer?

In most cases, users pick up ransomware by opening malicious email attachments. Spam email is one of the most common ways cyber criminals distribute ransomware because it requires very little effort. They purchase email addresses from hacking forums and send malicious emails to those addresses. Fortunately, as long as users are careful, they should be able to avoid the majority of these malicious emails as they’re fairly obvious. They usually contain loads of grammar and spelling mistakes, are sent from obviously spam email addresses, and just generally seem suspicious. Some emails are more sophisticated than others, so users should always scan unsolicited email attachments with anti-malware software or VirusTotal.

Users can also pick up ransomware via torrents and software cracks. A lot of malware can be found on torrent sites because they are not regulated properly, allowing cyber criminals to upload their malware and disguise it as some kind of popular movie, episode of a TV series, game, etc. Forums promoting software cracks are also full of malware.

It should also be mentioned that installing updates regularly is very important. Updates patch known vulnerabilities that can be used by malware to infect a computer. If possible, users should enable automatic updates.

What does ransomware do?

As soon as the ransomware installs, it will begin encrypting files. It mainly targets videos, photos, documents, etc. All affected files will have a file extension added to them consisting of an ID and .[newhelper@cock.li].WSHLP. For example, photo.jpg would become photo.jpg.random ID.[newhelper@cock.li].WSHLP. All files with this extension will be unopenable until they are decrypted.

The ransomware also drops a ransom note FILES ENCRYPTED.txt, as well as displays one in a pop-up window. The pop-up ransom note explains that files have been encrypted and to recover them victims need to send an email to newhelper@cock.li with their ID which is shown the ransom note. The ransom sum is not specified, but will likely range somewhere between $100 and $1000, as that is usually how much these kinds of infections demand.

Here’s the ransom note displayed in the pop-up window:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email newhelper@cock.li YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:iamwellwisher@tutanota.com
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

As usual, paying the ransom is not recommended. Not only does it not guarantee file decryption, it also encourages these cyber criminals to continue their activities.

But unfortunately, the only currently available way to recover files is via backup. If users do not have backup, they have the option of backing up encrypted files and waiting for a free decryption tool to become available.

WSHLP ransomware removal

Users should not attempt to delete WSHLP ransomware manually because that might cause even more damage. Instead, they should use anti-malware software. Once users remove WSHLP ransomware, they can access their backup and start recovering files.

WSHLP ransomware is detected as:

  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Ransom.Crysis.Generic by Malwarebytes
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom.Crysis by Symantec