What is HELP_YOUR_FILES?
Recently, a new version of CryptoWall ransomware has been released. It is worth mentioning that this is not the first update to this ransomware, Cyber criminals have released it’s fourth version, also known as HELP_YOUR_FILES ransomware. This new file encrypting malware not only changes the extensions of files stored on the computer, but also changes their names with an intention of preventing the victim to recognize them (example of an encrypted file name – ‘8354no9f.7gt8’). After HELP_YOUR_FILE is done encrypting the victims data, it demands to pay a ransom of 700$ (1.79 Bitcoins). If user does not pay within the given time frame, the ransom doubles to either 1400$ or 1400€ (3.58 BTC). All the information about the payment (time frame, consequences of not paying the ransom and attempts to decrypt using third party software, step by step payment instructions, etc.) is stored in a HELP_YOUR_FILES.PNG, HELP_YOUR_FILES.TXT and HELP_YOUR_FILES.HTML files which are generated in each directory containing encrypted data.
HELP_YOUR_FILES uses RC4 encryption method. Just like the previous versions of CryptoWall, this ransomware injects itself into Explorer.exe. After that, HELP_YOUR_FILES deletes all Shadow Volume Copies, disables System Restore, as well as turns off Windows Startup Repair by using bcdedit. Even though the ransomware itself is quite easy to remove, decrypting affected files without paying the ransom is impossible – the key required for the decryption is stored in HELP_YOUR_FILES command-and-control servers, that are managed by cyber criminals. Therefore, the only way to solve this problem is to restore your data from a backup.
HELP_YOUR_FILES ransomware additional information regarding data encryption:
Text presented in HELP_YOUR_FILES.PNG, HELP_YOUR_FILES.TXT and HELP_YOUR_FILES.HTML files:
Cannot you find the files you need? Is the content of the files that you have watched not readable? It is normal because the files’ names, as well as the data in your files have been encrypted. Congratulations!!! You have become a part of large community of CryptoWall. If you are reading this text that means that the software CryptoWall has removed from your computer.
What is encryption? Encryption is a reversible transformation of information in order to connect it from unauthorised persons but providing at the same time access to it for authorised users. To become an authorised user and make the process truly reversible i.e to be able to decrypt your files you need to have a special private key. In addition to the private key you need the decryption software with which you can decrypt your files and return everything in its place. I almost understood but what do I have to do? The first thing you should do is to read the instructions to the end. Your files have been encrypted with the CryptoWall software; the instructions that you find in folders with encrypted files are not viruses, they are you helpers. After reading this text 100% of people turn to a search engine with the word CryptoWall where you’ll find a lot of thoughts, advice and instructions. Think logically – we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them. Any of your attempts to restore you files with the third-party tools can be fatal for encrypted files. The fact that changing data within the encrypted files (as 100% of software to restore files do this, except the special decryption software) you break damage to the files and it will be impossible to decrypt the files. This is the same as to collect a mosaic when some mosaics items were lost, broken or not put in its place – the picture will not emerge, the software to restore the files will not be able to lay down the picture, and ruin it completely and irreversibly. Use the software to restore files can ruin your files forever, only through your fault. Remember that any intervention of the extraneous software to restore files encrypted with the CryptoWall software may be the point on no return. In case if these simple rules are violated we will not be able to help you, and we will not try because you have been warned. For your attention the software to decrypt the files (as well as the private key that come fitted with it) is a paid product. After purchasing the software package you can: 1.Decrypt all your files. 2. Work with your documents. 3. View your photos and other media content. 4. Continue your habitual and comfortable work at the computer. If you are aware whole importance and criticality of the situation, then we suggest you go directly to your personal page where you will be given final instructions, as well as guarantees to restore your files.
What do you have to do with these addresses? If you browse the instructions in TXT format (if you have instructions in HTML (the file that has an icon of your Internet browser) then for the sake of simplicity it is better to run it). Additional information: Instructions to restore your files are only in the folders where you have encrypted files. For your convenience the instructions are made in three files formats – html, txt and png. Unfortunately, antivirus companies cannot protect and moreover restore your files but they make things worse removing the instructions to restore encrypted files. The instructions are not malware, they have informative nature only, so any claims on the absence of any instructions files you can send to your antivirus company. CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. This project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place. If you oversee this text in the Internet and understand that something is wrong with your files and you have no instructions to restore files, contact your antivirus support. Remember that the worst has already happened and now the further life of your files depends directly in your determination and speed of your actions.
HELP_YOUR_FILES ransom payment instructions:
Samples of infected email messages spreading HELP_YOUR_FILES ransomware:
HELP_YOUR_FILES ransomware removal:
Quick solution to remove Cryptowall 4.0 virus
Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.
Video showing how to start Windows 7 in “Safe Mode with Networking”:
Windows 8 users: Start Windows 8 is Safe Mode with Networking – Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened “General PC Settings” window select Advanced startup. Click on “Restart now” button. Your computer will now restart into “Advanced Startup options menu”. Click on the “Troubleshoot” button, then click on the “Advanced options” button. In the advanced option screen click on “Startup settings”. Click on the “Restart” button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.
Video showing how to start Windows 8 in “Safe Mode with Networking”:
Log in to the account infected with the HELP_YOUR_FILES virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.
If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.
Video showing how to remove ransomware virus using “Safe Mode with Command Prompt” and “System Restore”:
1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.
2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.
3. Next, type this line: rstrui.exe and press ENTER.
4. In the opened window click “Next”.
5. Select one of the available Restore Points and click “Next” (this will restore your computer system to an earlier time and date, prior to the HELP_YOUR_FILES ransomware virus infiltrating your PC).
6. In the opened window click “Yes”.
7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining HELP_YOUR_FILES files.
To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of HELP_YOUR_FILES are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.
To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the “Restore” button.
If you cannot start your computer in Safe Mode with Networking (or with Command Prompt),boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.
To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as HELP_YOUR_FILES.)
HitmanPro.Alert CryptoGuard – detects encryption of files and neutralises such attempts without need for user intervention:
EasySync CryptoMonitor – kills an encryption infection and blacklists it from running again:
Other tools known to remove HELP_YOUR_FILES ransomware: