'help@decrypt-files.info' Ransomware

The 'help@decrypt-files.info' Ransomware is a version of the Dharma Ransomware, a file-locker Trojan family that searches for digital media that it blocks by encrypting it. Along with making your files unopenable, the 'help@decrypt-files.info' Ransomware also changes their names, creates ransoming messages for the decryptor, attacks the rest of the local network and deletes backups. As always, the existence of a secure backup is the most important part of recovering from infections after deleting the 'help@decrypt-files.info' Ransomware with the anti-malware program of your choice.

The Supposed Backup that Eats the Real Ones

A new release in the Dharma Ransomware family is pretending that it's a project backup, including company credentials for making it look harmless until after it finishes its attacks. The 'help@decrypt-files.info' Ransomware is similar, operationally, to other releases from this same group of file-locker Trojans, such as the btc@fros.cc Ransomware, the Darknes@420blaze.it Ransomware, the 'backtonormal@foxmail.com' Ransomware or the latest the 'getdataback@fros.cc' Ransomware. Its most distinguishing payload features are no more than the different extensions and addresses that it uses for ransoming media.

The 'help@decrypt-files.info' Ransomware's samples are purporting that they're backups for a 'Chemix' company, but new versions could have their labels edited for appropriateness to the targets. After infecting a PC, either by user-assisted exploits like spam e-mails, or manual ones, such as a brute-force attack, the 'help@decrypt-files.info' Ransomware begins encrypting documents, pictures and other media throughout the PC. Like most versions of the Dharma Ransomware, it also deletes the Shadow Volume Copies, which makes it, ironically, a fake backup that wipes out real ones.

The 'help@decrypt-files.info' Ransomware adds '.gdb' extensions to the filenames of all blocked media, along with an ID that's specific to each infection and the address in its name. The latter, which it also promotes throughout a pair of ransom notes, is intended as the point of contact for victims to negotiate over the decryption solution. While such an option may be the only decryption service available for any locked files, malware experts caution that, historically, the reliability of providing a non-refundable ransom payment to a criminal isn't a very dependable way of restoring media.

The Only Help You should Need for Saving Your Media

Malware experts recommend disabling the network connectivity at any stage of a 'help@decrypt-files.info' Ransomware infection, due to the threat's traditional inclusion of network shares (including unmapped ones) in its file searches. Users also should assume that the Trojan will re-launch itself whenever Windows restarts, as an opportunity for encrypting any newly-introduced files. Conventional solutions, such as entering into Safe Mode, and having backups saved to non-accessible or password-protected locations, can provide your media with security from the 'help@decrypt-files.info' Ransomware's ongoing attacks.

The use of brute-force and RDP-based exploits is a regularly-notable factor in Ransomware-as-a-Service campaigns like the 'help@decrypt-files.info' Ransomware's attacks. Server administrators should avoid passwords that would be breakable easily, check their RDP settings and firewall ports for safety issues, and avoid opening e-mail attachments without confirming their safety, first. One out of every two AV brands are identifying this threat and should experience no problems with removing the 'help@decrypt-files.info' Ransomware from your computer, and malware experts expect that number to increase over the coming weeks.

The fake company information that the 'help@decrypt-files.info' Ransomware depends on is a flexible disguise that may be showing its threat actor's hand regarding the intended targets. As usual, it's a bad idea to rely on the appearance of a file for determining its safety, especially when it comes attached to an unexpected e-mail or shows up on your hard drive randomly.