.help ransomware refers to a file-encrypting malware that adds .help to encrypted files. It’s part of the VoidCrypt ransomware family. The ransomware drops !INFO.HTA ransom note.
Discovered by malware researcher xiaopao, .help ransomware is from the VoidCrypt ransomware family. Because it encrypts files, it’s considered to be a dangerous malware infection. Once files are encrypted, users will be unable to open them, unless they are first decrypted with the decryptor. The cyber crooks behind this ransomware will try to sell the decryptor to victims, though the !INFO.HTA ransom note does not name the price for it. It will likely be somewhere between a couple of hundred and a couple of thousand dollars, as that is usually how much ransomware demands. Whatever the price may be, users should be aware of the risks involved in paying. While cyber crooks may promise to send the the decryptor, whether they actually send one depends on how obligated they feel, as there is nothing stopping them from just taking the money. It has happened countless times to many users in the past, which we feel it’s necessary to voice the risks.
In some cases, malware researchers may be able to release free decryptors to help users recover files without paying. However, it’s not always possible, which is why not all ransomware have free decryptors. While one for .help ransomware may not be currently available, it may be posted in the future. If a legitimate decryptor does get released in the future, it would be posted on NoMoreRansom. So users who do not have any file recovery options should back up the encrypted files and occasionally check NoMoreRansom for a decryptor.
If users do have backup, they can easily recover files as soon as they remove .help ransomware from the computer. However, they should take care to fully get rid of the ransomware because it would encrypt the backed up files otherwise.
How does ransomware encrypt files?
Ransomware usually spreads via malspam, torrents, malicious ads, etc. Users with bad browsing habits are usually at much higher risk of infecting their computers because they often open unsolicited email attachments, pirate via torrents, click on ads while on high-risk websites, and not install critical security updates.
Malspam is one of the most common ways users pick up ransomware. Malicious actors buy email addresses from hacker forums, and use them to launch huge email spam campaigns. They emails contain a malicious email attachment, which if opened would trigger the ransomware. Fortunately, users will be able to identify malspam fairly easily because they have some signs pointing to them being malicious. For example, malspam is often sent from random email addresses. Users should always check the sender’s email address and make sure it’s legitimate before engaging with the email. They’re also usually full of grammar and spelling mistakes, and put strong pressure on the user to open the email attachments. As a precaution, users should always scan unsolicited email attachments with anti-virus software or VirusTotal before opening them.
Users who use torrents to pirate content are also at increased risk. Because torrent sites are often unregulated, it’s not difficult to upload malware disguised as a torrent for some popular content. The more popular a movie, TV show, video game, software, etc., is, the more likely that a torrent for it will have malware in it. And pirating is not only dangerous for the computer, it’s also essentially stealing.
Users also need to install security updates when they are released. Updates patch system vulnerabilities which can be used by malware to enter. Enabling automatic updates is recommended.
What does the ransomware do?
As soon as the ransomware enters the computer, it will start encrypting users’ files. It mainly targets personal files, like documents, photos, videos, etc. Once files are encrypted, they will have .[email@example.com][unique ID].help added to them. For example, image.jpg would become image.jpg.[firstname.lastname@example.org][unique ID].help. The unique ID in the extension is necessary when contacting the cyber crooks if victims decide to pay the ransom.
When the ransomware is done encrypting files, it will drop a !INFO.HTA ransom note. The notes contains the contact addresses to which victims can send an email to start file encryption. The email addresses given are email@example.com and firstname.lastname@example.org. Users can also get a couple of files decrypted for free, provided they do not contain any sensitive information. However, as we said above, paying the ransom does not guarantee that files will be decrypted. The cyber crooks behind this ransomware can just not send the decryptor, since there is nothing obligating them to help.
Here is the text from the ransom note dropped by this ransomware:
!!! Your Files Has Been Encrypted !!!
your files has been locked with highest secure cryptography algorithm
there is no way to decrypt your files without paying and buying Decryption tool
but after 48 hour decryption price will be double
you can send some little files for decryption test
test file should not contain valuable data
after payment you will get decryption tool ( payment Should be with Bitcoin)
so if you want your files dont be shy feel free to contact us and do an agreement on price
!!! or Delete you files if you dont need them !!!
Your ID :
our Email :email@example.com
In Case Of No Answer :firstname.lastname@example.org
At this moment in time, only users who have backup can recover files.
.help ransomware removal
Users should use anti-malware software to delete .help ransomware because this is a complicated infection. Trying manual .help ransomware removal could lead to even more damage. It should also be said that unfortunately, files will not be decrypted just because the ransomware is no longer present.
.help ransomware is detected as:
- DeepScan:Generic.Ransom.AmnesiaE.5274 by Emsisoft
- DeepScan:Generic.Ransom.AmnesiaE.52740374 by BitDefender
- Win32:RansomX-gen [Ransom] by Avast/AVG
- HEUR:Trojan-Ransom.Win32.Generic by Kaspersky
- Ransom:Win32/Spade.DB!MTB by Microsoft
- GenericRXMJ-AK!815F827CBEDE by McAfee
- Ransom.VoidCrypt by Malwarebytes
- A Variant Of Win32/Filecoder.Ouroboros.E by ESET