Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Monday, May 4, 2015

How to Remove HELP_TO_SAVE_FILES.txt Virus and Restore Encrypted Files

Tell your friends:
HELP_TO_SAVE_FILES.txt is a ransom note that contains links and information on how you can pay the ransom to decrypt your files that were encrypted by Alpha Crypt ransomware. The Trojan ransom encrypts your files using a very strong RSA-2048 encryption algorithm, appends the .ezz extension to each encrypted file and creates multiple HELP_TO_SAVE_FILES.txt files on your computer. Basically, this ransom note can be found in every folder with at least one encrypted file. In this day and age, we all need to know as much as we can about the different types of malware that are out there trying to do us harm. And one of those pieces of malicious software that it is in our interests to know a little more about is ransomware. Staying one step ahead of cyber crime is crucial, therefore if you want to know how to best protect yourself from falling victim to this particularly nasty form of malware, carry on reading as I will give you a couple of simple ways to keep the ransomware at bay.

What is Alpha Crypt and why it creates HELP_TO_SAVE_FILES.txt?

You may have heard of a Trojan ransom because it's one of the most commonly found strain of malware. It is also one of the most unpleasant for sure. Not only does it cause carnage on your computer by encrypting your documents but it can have a serious affect on your overall security too, making you even more vulnerable to further attack by other types of malware, for example spyware.

How does this ransomware work?

If you have been infected by HELP_TO_SAVE_FILES.txt or Alpha Crypt ransomware it will 'kidnap' your files and hold them hostage until you pay for their release. Some users reported that cyber criminals asked to pay 1 Bitcoin while others mentioned only 0.5 Bitcoin. One way or another, it's still at least $100. It's a classic and time worn method of extorting money – the only difference is now we're dealing with online kidnapping. But this one is even more evil. It tries to delete shadow copies and even restore points to make it nearly impossible to restore your files. Luckily, it does not always succeeds, so there is a chance you can recover your encrypted data files using file recovery programs such as TeslaCrypt Decryption Tool by Cisco. Cisco programmers did a great job. The tool worked well with the previous version of this ransomware called Tesla Crypt.

Two ways of defending your computer from ransomware
  1. The majority of ransom Trojans are spread via email attachments or links in instant messenger chats. Therefore never open attachments or click on links in messages where you don't know the sender. Other Trojans are packaged with shareware or peer to peer files so only download from reputable sources.
  2. A smaller, but still significant amount of Trojans are installed during a 'drive by installation' meaning you have visited a website that has been compromised by the malware. There's no way of telling which sites are infected but bear in mind that the shadier the site, the more chance you have of leaving with some kind of infection
So, this is the strategy that HELP_TO_SAVE_FILES.txt ransom virus employs. It is designed to look innocent, or useful, and fool you into thinking you are downloading a game, the latest Taylor Swift album from a freeware or shareware file (if Taylor's your thing!), or maybe even an anti-virus tool. All things that look benign, fun or useful; but chances are you might actually be downloading ransomware instead.

Is there a way to recover my files?

Unfortunately, at this time there is no way to decrypt the files without your unique decryption key which can be bought from cyber criminals for 1BTC. However, do not pay the ransom unless your files are very important to you and are worth more than $100 or $300. And of course, if the tools given below do not work. Instead, follow the removal guide below how to salvage your data and clean your computer ASAP. There are a few tools that can help you to restore at least some of your files without paying a ransom: Shadow Explorer and TeslaCrypt Decryption Tool by Cisco. Even though, there's no guarantee that these tools will help you, there's also no reason not to try them out. Who know, maybe you will be the lucky one. Please follow the steps in the removal guide below.

If you have any questions, please leave a comment below. And now you're done reading this, may I suggest that you back up all your files onto an external hard drive NOW. That way if you are unlucky enough to fall victim to HELP_TO_SAVE_FILES.txt ransomware, you'll be able to simply wipe clean your internal disk drive and replace it with up to date data. If you have any questions, please leave a comment down below. Good luck and be safe online!

Written by Michael Kaur,

Step 1: Removing Alpha Crypt and related malware:

Before restoring your files from shadow copies, make sure Alpha Crypt is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.

1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.

Important! If you can't download or run it, please restart your computer in Safe Mode with Networking or Safe Mode and try again.

2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.

That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.

Step 2: Restoring files encrypted by Alpha Crypt virus:

Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.

Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.

Method 3: Try the TeslaCrypt Decryption Tool by Cisco. Download TeslaDecrypt tool and run it.

Method 4: Try the TeslaDecoder Decryption Tool. Download TeslaDecoder tool and run it.

Method 5: Using the Shadow Volume Copies:

1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.

2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.

3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.

Hopefully, this will help you to restore all encrypted files or at least some of them.