Recently, a new version of CryptoWall ransomware has been released. It is worth mentioning that this is not the first update to this ransomware, Cyber criminals have released it’s fourth version, also known as HELP_YOUR_FILES ransomware. This new file encrypting malware not only changes the extensions of files stored on the computer, but also changes their names with an intention of preventing the victim to recognize them (example of an encrypted file name – ‘8354no9f.7gt8’). After HELP_YOUR_FILE is done encrypting the victims data, it demands to pay a ransom of 700$ (1.79 Bitcoins). If user does not pay within the given time frame, the ransom doubles to either 1400$ or 1400€ (3.58 BTC). All the information about the payment (time frame, consequences of not paying the ransom and attempts to decrypt using third party software, step by step payment instructions, etc.) is stored in a HELP_YOUR_FILES.PNG, HELP_YOUR_FILES.TXT and HELP_YOUR_FILES.HTML files which are generated in each directory containing encrypted data.

HELP_YOUR_FILES uses RC4 encryption method. Just like the previous versions of CryptoWall, this ransomware injects itself into Explorer.exe. After that, HELP_YOUR_FILES deletes all Shadow Volume Copies, disables System Restore, as well as turns off  Windows Startup Repair by using bcdedit. Even though the ransomware itself is quite easy to remove, decrypting affected files without paying the ransom is impossible – the key required for the decryption is stored in HELP_YOUR_FILES command-and-control servers, that are managed by cyber criminals. Therefore, the only way to solve this problem is to restore your data from a backup.

HELP_YOUR_FILES decrypt instructions

Computer viruses like HELP_YOUR_FILES, CTB Locker, CryptoLocker, TeslaCrypt, and CryptorBit are one of the main reasons why you should maintain regular backups of your files. Users must realize that by paying the ransom they support the malicious business of cyber criminals. Moreover, there’s no guarantee that the files will ever be decrypted. Be aware that HELP_YOUR_FILES is distributed using malicious email messages that with bogus attachments – zipped files that supposedly contain certain resumes, shipping information, etc. However, these email attachments are actually JavaScript files that, when executed, download another infectious executable file, stores it in Windows %Temp% folder, and executes it afterwards. As a matter of fact almost every ransomware virus is distributed using fake downloads (e.g., torrents, fake software updates, etc.). For this reason, users must be very cautious when downloading files from untrusted sources. Moreover, it is very important to use a legitimate anti-virus or either anti-spyware suite, as well as keep every installed application up-to-date.

HELP_YOUR_FILES ransomware additional information regarding data encryption:

Additional information about the files encrypted by HELP_YOUR_FILES ransomware


Cannot you find the files you need? Is the content of the files that you have watched not readable? It is normal because the files’ names, as well as the data in your files have been encrypted. Congratulations!!! You have become a part of large community of CryptoWall. If you are reading this text that means that the software CryptoWall has removed from your computer.
What is encryption? Encryption is a reversible transformation of information in order to connect it from unauthorised persons but providing at the same time access to it for authorised users. To become an authorised user and make the process truly reversible i.e to be able to decrypt your files you need to have a special private key. In addition to the private key you need the decryption software with which you can decrypt your files and return everything in its place. I almost understood but what do I have to do? The first thing you should do is to read the instructions to the end. Your files have been encrypted with the CryptoWall software; the instructions that you find in folders with encrypted files are not viruses, they are you helpers. After reading this text 100% of people turn to a search engine with the word CryptoWall where you’ll find a lot of thoughts, advice and instructions. Think logically – we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them. Any of your attempts to restore you files with the third-party tools can be fatal for encrypted files. The fact that changing data within the encrypted files (as 100% of software to restore files do this, except the special decryption software) you break damage to the files and it will be impossible to decrypt the files. This is the same as to collect a mosaic when some mosaics items were lost, broken or not put in its place – the picture will not emerge, the software to restore the files will not be able to lay down the picture, and ruin it completely and irreversibly. Use the software to restore files can ruin your files forever, only through your fault. Remember that any intervention of the extraneous software to restore files encrypted with the CryptoWall software may be the point on no return. In case if these simple rules are violated we will not be able to help you, and we will not try because you have been warned. For your attention the software to decrypt the files (as well as the private key that come fitted with it) is a paid product. After purchasing the software package you can: 1.Decrypt all your files. 2. Work with your documents. 3. View your photos and other media content. 4. Continue your habitual and comfortable work at the computer. If you are aware whole importance and criticality of the situation, then we suggest you go directly to your personal page where you will be given final instructions, as well as guarantees to restore your files.
What do you have to do with these addresses? If you browse the instructions in TXT format (if you have instructions in HTML (the file that has an icon of your Internet browser) then for the sake of simplicity it is better to run it). Additional information: Instructions to restore your files are only in the folders where you have encrypted files. For your convenience the instructions are made in three files formats – html, txt and png. Unfortunately, antivirus companies cannot protect and moreover restore your files but they make things worse removing the instructions to restore encrypted files. The instructions are not malware, they have informative nature only, so any claims on the absence of any instructions files you can send to your antivirus company. CryptoWall Project is not malicious and is not intended to harm a person and his/her information data. This project is conducted for the sole purpose of instruction in the field of information security, as well as certification of antivirus products for their suitability for data protection. Together we make the Internet a better and safer place. If you oversee this text in the Internet and understand that something is wrong with your files and you have no instructions to restore files, contact your antivirus support. Remember that the worst has already happened and now the further life of your files depends directly in your determination and speed of your actions.

HELP_YOUR_FILES ransom payment instructions:

Payment instructions provided by HELP_YOUR_FILES ransomware

Samples of infected email messages spreading HELP_YOUR_FILES ransomware:

Spam messages generated by HELP_YOUR_FILES ransomware (sample 1)
Spam messages generated by HELP_YOUR_FILES ransomware (sample 2)
Spam messages generated by HELP_YOUR_FILES ransomware (sample 3)
Spam messages generated by HELP_YOUR_FILES ransomware (sample 4)
Spam messages generated by HELP_YOUR_FILES ransomware (sample 5)
Spam messages generated by HELP_YOUR_FILES ransomware (sample 6)

HELP_YOUR_FILES ransomware removal:

Quick menu:
Quick solution to remove Cryptowall 4.0 virus

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer starting process press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in “Safe Mode with Networking”:

Windows 8 users: Start Windows 8 is Safe Mode with Networking – Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click on Advanced startup options, in the opened “General PC Settings” window select Advanced startup. Click on “Restart now” button. Your computer will now restart into “Advanced Startup options menu”. Click on the “Troubleshoot” button, then click on the “Advanced options” button. In the advanced option screen click on “Startup settings”. Click on the “Restart” button. Your PC will restart into Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in “Safe Mode with Networking”:

Step 2

Log in to the account infected with the HELP_YOUR_FILES virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

Remover for Cryptowall 4.0 virus

If you need assistance removing help_your_files , give us a call 24/7:
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. SpyHunter’s free scanner is for Cryptowall 4.0 virus detection. To remove the detected infections you will need to purchase a full version of this product. More information on SpyHunter. If you wish to uninstall SpyHunter follow these instructions. All the products we recommend were carefully tested and approved by our technicians as being one of the most effective solutions for removing this threat.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using “Safe Mode with Command Prompt” and “System Restore”:

1. During your computer starting process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window click “Next”.

restore system files and settings

5. Select one of the available Restore Points and click “Next” (this will restore your computer system to an earlier time and date, prior to the HELP_YOUR_FILES ransomware virus infiltrating your PC).

select a restore point

6. In the opened window click “Yes”.

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining HELP_YOUR_FILES files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of HELP_YOUR_FILES are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click on it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the “Restore” button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt),boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by HELP_YOUR_FILES you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as HELP_YOUR_FILES.)

HitmanPro.Alert CryptoGuard – detects encryption of files and neutralises such attempts without need for user intervention:

hitmanproalert ransomware prevention application

EasySync CryptoMonitor – kills an encryption infection and blacklists it from running again:

cryptomonitor ransomware prevention application

Other tools known to remove HELP_YOUR_FILES ransomware:

Source: Virus and Spyware Removal Guides, uninstall instructions