SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Malware Removal Questions and Guides => Topic started by: never on October 29, 2015, 04:47:08 pm

Title: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on October 29, 2015, 04:47:08 pm
A very nasty ransomware infection has been reported to significantly increase its infections over consumer user PCs encrypting thousands of files per infected computer. The ransomware has several different variations main of which are Helpme@freespeechmail.org file2@openmailbox.orgthen leaves this ransom note naming it Recovery.bmp:

(http://sensorstechforum.com/wp-content/uploads/2015/10/recovery.bmp)

First, before decrypting the files you need to do it safely. Use this tutorial in order to remove the virus .tmp files:

http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/ (http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/)

Now it is time to decrypt your data. Fortunately for users, Kaspersky has released a decryptor for this nasty ransomware, going by the name of Raknidecryptor. You can download it from by clicking on this link:

http://support.kaspersky.com/viruses/utility (http://support.kaspersky.com/viruses/utility)

Once you have downloaded Rakhni Decryptor, simply start the .exe file and click on Start Scan. This will open a file manager where you can select the file that you want to decrypt. It will then start the decryption process.

IMPORTANT: Decrypting files(if the algorhytm allows decryption and is not too strong)may take hours to even days time, depending on the encryption. You should leave your computer working at all time and NOT interrupt the decryption process. In order to do this, you should make sure you change your PC's power settings to not allow it to hybernate or sleep during decryption. To do this, follow these steps.
Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan's settings make sure you set "Turn off the display" and "Put computer to sleep" to "Never" from the drop down minutes menu.
Step 4: Click on Save Changes and close it.
Now, you should leave your PC to work it out. Bear in mind that the process may take a lot of time so arm yourself with patience and hope that the algorhytm is decryptable.

Good Luck!

Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: sensadmin on October 30, 2015, 11:28:29 am
A very nasty ransomware infection has been reported to significantly increase its infections over consumer user PCs encrypting thousands of files per infected computer. The ransomware then leaves this ransom note naming it Recovery.bmp:

(http://sensorstechforum.com/wp-content/uploads/2015/10/recovery.bmp)

First, before decrypting the files you need to do it safely. Use this tutorial in order to remove the virus .tmp files:

http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/ (http://sensorstechforum.com/forums/malware-removal-questions-and-guides/remove-malware-from-your-pc-completely/)

Now it is time to decrypt your data. Fortunately for users, Kaspersky has released a decryptor for this nasty ransomware, going by the name of Raknidecryptor. You can download it from by clicking on this link:

http://support.kaspersky.com/viruses/utility (http://support.kaspersky.com/viruses/utility)

Once you have downloaded rakni, simply start the .exe file and click on Start Scan. This will open a file manager where you can select the file that you want to decrypt. It will then start the decryption process.

IMPORTANT: Decrypting files(if the algorhytm allows decryption and is not too strong)may take hours to even days time, depending on the encryption. You should leave your computer working at all time and NOT interrupt the decryption process. In order to do this, you should make sure you change your PC's power settings to not allow it to hybernate or sleep during decryption. To do this, follow these steps.
Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan's settings make sure you set "Turn off the display" and "Put computer to sleep" to "Never" from the drop down minutes menu.
Step 4: Click on Save Changes and close it.
Now, you should leave your PC to work it out. Bear in mind that the process may take a lot of time so arm yourself with patience and hope that the algorhytm is decryptable.

Good Luck!
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: dantralee on November 01, 2015, 08:12:45 pm
Hello, Company i work for got hit with this last week and we had to pay the ransom (no backups) we were supplied with the unlock tool and key, but it doesn't seem to have worked on our server, unless its after corrupting all our files. It did work on a pc that was infected with the same.

Do you know if there is anyway to tell if a file is still encrypted besides trying to just open it? or do you know another tool besides their tool where we could enter the key they gave us? really stuck here, thanks for your help

Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: mbuljan on November 01, 2015, 10:54:44 pm
Anyone had success with rakhnidecryptor?
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 02, 2015, 09:25:54 am
Hello, dantralee
As far as I know there are two ways to spot an encrypted file:
One way is to use https://www.cryptool.org/en/ Cryptool, software for cryptoanalysis. I am not very familiar with it but you may want to check it out.

The other way is to look for an unique encryption key that is in a completely random sequence. You can do this by using python in ubuntu.
First, you should download ubuntu iso from here:
http://www.ubuntu.com/download/desktop (http://www.ubuntu.com/download/desktop)
Then you should download unetbootin and boot ubuntu into a flash drive. Download and boot instructions here:
http://unetbootin.github.io/ (http://unetbootin.github.io/)
After you have booted into ubuntu you should type 'Terminal' in the search bar on top left and open it.
After you have opened the Terminal, type:
sudo apt-get update
sudo apt-get install python3.2
sudo apt-get install sqlite3 libsqlite3-dev
sudo gem install sqlite3-ruby

Then, download decrypt.py by right-clicking on the following link and choosing Save as...
https://bitbucket.org/cybertools/malware_tools/raw/fa4ec9df293b2504a1fa8691c91f006f32acb8bc/bitcrypt/decrypt.py (https://bitbucket.org/cybertools/malware_tools/raw/fa4ec9df293b2504a1fa8691c91f006f32acb8bc/bitcrypt/decrypt.py)
Save it in your home folder in order for the next command ot work properly. Now copy the file you want to check for encryption in the very same home folder and type this command in the Terminal:

python ./decrypt.py “Your_Encrypted_Document_Name_and_Extension”

After that you should be able to see something like this:

(http://sensorstechforum.com/wp-content/uploads/2015/08/code1.png)

Attach a screenshot and send it back or simply send me the file in case you are having difficullty establishing whether it is encrypted or not and I will check it.

Best Regards,
Never
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 02, 2015, 10:07:09 am
Hello, mbuljan
Yes, fortunately it is confirmed for sure that rakhni decryptor works! It just takes a bit more time to decrypt the files. In case it doesn't work for you you may have seen another variant of the ransomware. In this case you should try either this method via Linux OS using cado-nfs, part of which i mentioned in my previous reply:

http://sensorstechforum.com/restore-files-encrypted-via-rsa-encryption-remove-cryptowall-and-other-ransomware-manually/ (http://sensorstechforum.com/restore-files-encrypted-via-rsa-encryption-remove-cryptowall-and-other-ransomware-manually/)

Or using other Kaspersky decryptor tools:

http://support.kaspersky.com/viruses/utility# (http://support.kaspersky.com/viruses/utility#)

There is also another method for decryption, but it is near Sci Fi since it hasnt even been completely revealed to the public or made user friendly:

http://sensorstechforum.com/rsa-encryption-finally-broken/ (http://sensorstechforum.com/rsa-encryption-finally-broken/)
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: Miloss66 on November 04, 2015, 03:19:00 pm
Hello mbuljan,
I can confirm that Kaspersky rakhnidecryptor is working perfect! It tooks 2 days and 2 hours, but all files was decrypted and sucessfully restored.
Thank you all for posting this, you save my ass...  :D
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: mbuljan on November 04, 2015, 09:52:25 pm
Yaaaay.... i want to confirm too, it took 2 days and 2 hours too... Thank you never on your help...
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 05, 2015, 04:20:45 pm
Glad It was useful. Ransomware is just going out of control lately...
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: florind on November 06, 2015, 02:31:18 pm
Please, Miloss66 and mbuljan, can you look in the log file of rakhnidecryptor and tell the "Current state number" where it found the key? This can save us 2 days of computing. Thank you!
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: ibn on November 07, 2015, 09:38:48 pm
Many many many thanks to all of you, and of course to Kaspersky and God bless you! Excuse me for my poor English. Rakhnidecryptor is a golden tool. After 2d, 18h on my Intel dual core the password was found, and it has decrypt all the affected files. I tried most of them and they are OK. The future solution for me is an external HDD not connected all the time, only when I need. All my best wishes from RO
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: xxxnick on November 09, 2015, 12:27:27 pm
Hi all,

...unfortunately no luck yet ... 5 days and 20 hours!

Nikos
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: Execute on November 09, 2015, 01:36:41 pm
@ibn
I am glad that it worked! An external disk is a good prevention method for important files to be locked and I endorse it!  ;)

@xxxnick
Well, Nikos, there are different variants of the ransomware and it seems some variants lock the files with a stronger password. Just wait more, to see if you get lucky in the end. Best of luck!
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 09, 2015, 04:56:53 pm
@xxxnick

Do you mind if I ask what model is your computer and what is its CPU model if you can find them?

The reason I am asking you is because of the fact that in some computers it may take some time, depending on the CPU power, ram and hard drive/ solid drive.
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: test4just on November 09, 2015, 05:24:28 pm
" Please, Miloss66 and mbuljan, can you look in the log file of rakhnidecryptor and tell the "Current state number" where it found the key? This can save us 2 days of computing. Thank you! "

It worked for about 24 houres. It said it had found the password, but nothing happened. I unchecked the "delete encrypted files after decryption" so the file that I wanted to decrypt remained the same. No other copy of that file was made (like a decrypted one). I ran the Rakhni tool under a VirtualMachine and someone else clicked ok after Rakhni finished (that person told me that the only option in the tool at the end was ok or close, with the message : Password has been found). The file is still encrypted. In the Rakhni log file the last current state looks like this:
 13:56:11.0288 0x02d0  Current state: 557976 / 1000000
I belive this is where it found the password. If so, how can I use this current state number to avoid "rescannig"?
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: florind on November 10, 2015, 08:01:28 am
You can start Rakhnidecryptor in a command prompt window with parameters:
-h         -> help
-l          -> path and name for the log file
-start    -> value to start from [0;1.000.000] (for you should be 557976)
-end     -> the value where to stop the scan <=1.000.000
I didn't find yet the Password, so I don't know what you should do after.
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: Execute on November 10, 2015, 11:25:25 am
You can start Rakhnidecryptor in a command prompt window with parameters:
-h         -> help
-l          -> path and name for the log file
-start    -> value to start from [0;1.000.000] (for you should be 557976)
-end     -> the value where to stop the scan <=1.000.000
I didn't find yet the Password, so I don't know what you should do after.

That is helpful, but not everybody knows exactly how to do that.

First, if someone needs to get information about a log file from a previous RakhniDecryptor scan - they are .txt files located in your SystemDrive directory (the Drive where you have installed the Operating System), usually "C:\" . All logs start with the name "RakhniDecryptor." and are all visible.

Second, in order to start RakhniDecryptor in a CommandPrompt window, so you can write different parameters in it, you need to do the following:
(http://i.imgur.com/hOHc7dD.png) ===> (http://i.imgur.com/UDT4z9i.png)

Third, type in Command Prompt the following parameters:
Fourth, some optional commands you can type for convenience:
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: xxxnick on November 11, 2015, 01:33:43 pm
Hi Never,

still no luck ...7 days now!

About system configuration (poor pc) :
Processor: Intel(R) 2140 @ 1.60 Ghz 800Mhz
RAM: 3,00GB
OS: Win7 64-bit
Hard Disk: 500GB

In the Rakhni log file the last current state is : Current state: 644808 / 1000000 and continues...

Regards,
Nikos
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 11, 2015, 03:20:51 pm
Dear Nikos,

Can you share 1 file encrypted by this specific ransomware variant? I will make an attempt to decrypt it. Send it via email on this address:

idunn0@abv.bg

You may have been hit by a more difficult encryption containing variant and I will attempt to try decrypting it via several different methods, after which I will reply you with instructions, If we succeed, that is.
Thanks in advance,
Never
PS: In case the file is not that important to you, you can straight up upload it as an attachment so others interested in this forum topic may also try to decrypt it.
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: xxxnick on November 12, 2015, 09:34:14 am
Hi Never,

I attach the file and thank you for your interest and your time

Thanks in advance,
Nikos
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: kazak on November 12, 2015, 10:47:38 am
Hi Never,

unfortunately I have been hit by the same helpme@freespeechmail.org ransomware, too
Currently I'm trying with RakhniDecryptor - still in the beginning.
I have a chance to have some pairs of original jpg files and encrypted ones. When I compare them it looks like only a block at the beginning of the file is encrypted and rest of it is the same in both versions.
Is this the normal variant of the virus, or I had been hit by some strange variant ?
Can I send you a sample to check?

Another strange thing is that I still cannot identify the source PC of infection. As two PCs have access to the same network resource, which have been affected, I checked both PCs with many scan and remove programs including Kaspersky, ESET, Malwarebytes, SpyHunter .... They also had ESET and Malwarebytes pre-installed up to date. None of them shows a trace of Ransomware virus, while cheked with any of the aboves.
Is there a scan/remove tool which detects those malware?
I checked already system processes, files, etc. as per manual removal guide, but didn't see anything suspicious, which make me even more suspicious :)

Regards,
Kazak
 
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: kazak on November 12, 2015, 11:47:46 am
Hi again,

trying to check with cryptotool gives this results:

[root@:/usr/src/cryptotool#]python ./decrypt.py "DSC_4011_.jpg.id-9580666189_helpme@freespeechmail.org"
[-] Error parsing file footer
[root@:/usr/src/cryptotool#]python ./decrypt.py "14 yoga uprajneniq, koito da pravish vkyshti_.pdf.id-9580666189_helpme@freespeechmail.org"
[-] Error parsing file footer

Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 12, 2015, 12:51:11 pm
Hello, I have tried multiple times to decrypt files of the virus and it seems as though the creator of the ransomware may have improved his encryption algorhitm. This means that it may no longer be possible to decrypt your files using RakhniDecryptor. I will continue working on newer instructions on how to decrypt and I will try to identify if it is at all possible to decrypt the files and which tool is needed. Stay tuned to this topic and do NOT pay the ransom money even if it is not possible to decrypt your files because this way you are funding the cyber-criminals to develop it even more.

PS:Thanks to information by Nod32 I have managed to find the encryption algorithms used by the variants of this trojan and I am currently looking for decryption tools for those algorhitms. Here are the algorhitms:

SHA512, 3DES
SHA512, AES
SHA512, Blowfish
SHA512, CAST-128
SHA512, CAST-256
SHA512, DES
SHA512, GOST
SHA512, ICE
SHA512, IDEA
SHA512, MARS
SHA512, MISTY1
SHA512, RC2
SHA512, RC4
SHA512, RC5
SHA512, RC6
SHA512, Serpent
SHA512, TEA
SHA512, Twofish

Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 12, 2015, 12:53:37 pm
Hello, kazak

It seems that your variant has not encrypted your files with the RSA encryption algorhitm, for which is the Ubuntu tutorial. Please check my previous reply for what possible algorhitms do the variants of this trojan use.

Otherwise i think you shoud try the following instructions, posted on the blog:

"BertaB
(Post author)
October 16, 2015 at 7:20 am

Hello,

This may be due to one of the following reasons:

1) Old python version.

sudo apt-get update python

2) Error in file name or command.

Check the command you typed carefully. Can you tell me which one is it? If it is this one:

python ./decrypt.py “MY ENCRYPTED FILE.jpg.bitcrypt”

it should be typed with the brackets exactly as seen above.

3)Error in the ‘decrypt.py’ file

In case it doesnt work you shouldnt try to look for the issue since you may lose a lot of your time in doing so.
Your best bet is to try DecrypterFixer. You can download it from here:

https://bitbucket.org/DecrypterFixer/malware_tools-1/get/fa4ec9df293b.zip (https://bitbucket.org/DecrypterFixer/malware_tools-1/get/fa4ec9df293b.zip)

It has a well made ‘decrypt.py’ file and should work for you.

In case the first web link is broken, try this one:

https://bitbucket.org/DecrypterFixer/malware_tools-1/get/fa4ec9df293b.zip (https://bitbucket.org/DecrypterFixer/malware_tools-1/get/fa4ec9df293b.zip)"



Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 12, 2015, 01:40:41 pm
For those of you who have File Hisory or Backup enabled and use Microsoft Windows, you can download Shadow Explorer from here:

http://www.shadowexplorer.com/downloads.html (http://www.shadowexplorer.com/downloads.html)

This program looks for previous versions of backed up files. I hope it helps at least to those with File History enabled.
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: kazak on November 12, 2015, 02:03:04 pm
Hi Never,
I tried with decrypt.py from the links provided, but the error is the same.
I'm afraid it is not only encrypted with different encryption algorithms, but it looks like only first 0h7530 bytes are encrypted. The rest of the files are identical, except few bytes at the end.
I can attach a sample from jpg I have both in original and crypted, exported as hexdum, but they are 400-500K each and I cannot post them here

Thank you for you time and concern on this!

Regards,
Kazak
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 12, 2015, 02:07:59 pm
Kazak, send it via email - idunn0@abv.bg
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: kazak on November 12, 2015, 02:32:44 pm
Never, sent them to email
Thanks!
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 12, 2015, 03:51:07 pm
Hello,

Here is a web link to one of the best user friendly data recovery tools that also has a free trial version:

http://www.easeus.com/datarecoverywizardpro/ (http://www.easeus.com/datarecoverywizardpro/)

The sole purpose of this software is to recover deleted files on your computer. Try to scan with it and see what happens. I have personally used the software and managed to recover several JPG files. However, there is a big IT DEPENDS.

Good Luck!
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: kazak on November 13, 2015, 08:07:59 am
Hi,

it looks I have variation of Ransom which encrypt only first 30K of the files. The smaller ones are encrypted in full. Thus make it very fast and aggressive, as it locks with the same speed big and small files. I think it does not copy file and delete the original, and it overwrites directly the first 30K bytes.

I put a shot with RakhniDecryptor (latest 07.2015 from Kaspersky) for both smaller than 30K and bigger files.
Rakhni reports password found on smaller file very quickly and tried to decrypt all bigger and smaller files, but unfortunately without success. At the end files are not decrypted to their original state.
The interesting is that Rakhni seems to deal with partially decrypted files, as it decrypts only first 30K of the bigger ones, and does not touch unencrypted rest part of the file! Unfortunately it does not found the real key or the encryption method in that case.
I'm not deep in crypt yet, but in that case is it really found the key, and does not match the method for decryption? Or just does not found the real key? 

RakhniDecryptor still running with bigger file (Current state: 394512 / 1000000).

Will attach some samples from first case later

Regards

Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on November 13, 2015, 10:00:58 am
Hello, I have checked logs from people who have successfully decrypted their data and I am uploading a transcript of it here:

''19:16:39.0224 0x19c0  Current state: 46407 / 1000000
19:18:01.0337 0x1394 Password recovered
19:18:01.0337 0x1394  ProcessDriveEnumEx: Drive C:\ type 3:0
19:18:02.0132 0x1394  Known suspicious file: \\?\C:\ProgramData\Microsoft\IlsCache\ilrcache.xml.id-7689250192_helpme@freespeechmail.org
19:18:02.0138 0x1394  Decryption success: \\?\C:\ProgramData\Microsoft\IlsCache\ilrcache.xml.id-7689250192_helpme@freespeechmail.org -> \\?\C:\ProgramData\Microsoft\IlsCache\ilrcache.xml
19:18:02.0138 0x1394  Known suspicious file: \\?\C:\ProgramData\Microsoft\IlsCache\imcrcache.xml.id-7689250192_helpme@freespeechmail.org
19:18:02.0144 0x1394  Decryption success: \\?\C:\ProgramData\Microsoft\IlsCache\imcrcache.xml.id-7689250192_helpme@freespeechmail.org -> \\?\C:\ProgramData\Microsoft\IlsCache\imcrcache.xml
19:18:02.0153 0x1394  Known suspicious file: \\?\C:\ProgramData\Norton\URLS-{NIS2250124-SHPD-FSD51083}-S-1-5-21-3949044420-4057191696-281986591-1000.txt.id-7689250192_helpme@freespeechmail.org
19:18:02.0159 0x1394  Decryption success: \\?\C:\ProgramData\Norton\URLS-{NIS2250124-SHPD-FSD51083}-S-1-5-21-3949044420-4057191696-281986591-1000.txt.id-7689250192_helpme@freespeechmail.org -> \\?\C:\ProgramData\Norton\URLS-{NIS2250124-SHPD-FSD51083}-S-1-5-21-3949044420-4057191696-281986591-1000.txt
19:18:02.0160 0x1394  Known suspicious file: \\?\C:\ProgramData\NortonInstaller\Logs\2015-07-13-03h20m37s.7z.id-7689250192_helpme@freespeechmail.org''


For this particular variant, it seems very likely that there is one password for a huge number of files, however there were some files which were unable to be decrypted. This is why I advise you to try to use kaspersky on smaller files and If at first you dont succeed to try with another file until you manage to find the password. Once you do that, you may be able to decrypt the other files as well. Thank you for the information, kazak, I will also keep researching about this.
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: xxxnick on November 16, 2015, 01:36:58 pm
Hello,

after too days, the code has not found...  :'(

Nikos
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: kazak on November 16, 2015, 07:31:58 pm
Hi Nikos,

what file are you trying with?
I also tried first with small txt and jpg files, but without success.
The file which was successful in my case was a pdf file - recovered password after two days at 782637 step.
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: xxxnick on November 17, 2015, 10:17:41 am
Hi Kazak,

i tried with a small .jpeg (attached in previous post)
Suggest to try with other type files or other size? (there are some .vob large files)

Regards
Nikos
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: kazak on November 18, 2015, 12:55:51 am
Hi Nikos,
yes, use a PDF file bigger than 30KB

I succeeded only with pdf. Tried jpg and txt encrypted files prior

Kazak
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: Andygo on March 02, 2016, 07:42:11 pm
Hi all,
a friend of mine was hit by this virus and since it started I was following this forum for an answer, but nothing worked..
can please someone help me with this?
these are some important docs and I can't give up so easy
I used Rakhni Decryptor and didn't worked, I also waited for an update maybe that would solve the problem, but still nothing.
Encrypted docs extension: .id-0537026012_helpme @ freespeechmail(.)org
hope someone can help, I really need to decrypt these docs.  :(

EDIT by Admin: Just modified the extension so it's not a clickable link (just in case).
Title: Re: Decrypt files Encrypted By Helpme@freespeechmail.org Ransomware Virus
Post by: never on March 07, 2016, 04:47:30 pm
Hello, there is no update. It is advisable to keep attempting with different files and hopefully if one of the other files you scanned for the password is discovered, the other files will start recovering as well.

However, if you have tried that there is also an option to recover your files, if you haven't formatted your hard drive. There are many data recovery programs out there. Here are some that we have tested so far:

File Recover Plus (http://sensorstechforum.com/file-recover-plus-software-review/)
Stellar Phoenix Data Recovery Pro (http://sensorstechforum.com/data-recovery-pro-by-pareto-logic-software-review/)
Pareto Logic Data Recovery Pro (http://sensorstechforum.com/data-recovery-pro-by-pareto-logic-software-review/)

N.B. There are all licensed but you can also find free ones if you search online. Google is your friend :)

Regards and good luck,
Never