A closer look at what "help recover files.txt" ransomware actually is
Ransomware makes programs like adware pale in comparison as it is truly a nasty piece of work. Adware can be annoying enough when it decides to constantly redirect your internet searches and spyware is scary when it starts logging your key strokes, but "help recover files.txt" ransom virus can actually cause you to lose all of your data – whether that be business intel or your vacation photos. You can only imagine the amount of inconvenience and distress that such a thing would result in. Falling victim to this ransomware can cost you dearly – both financially and personally.
How does ransomware work?
Ransomware is a money generator and it attempts to scam innocent PC users out of their hard earned cash by preying on their – and their computer's – vulnerabilities. Ransomware will infect your machine and then kidnap, or encrypt your files and documents. You won't be able to access them and the parts of your operating system that allow you to search for the malware, and the internet may be inaccessible too: anything to stop you from thwarting the malware in its evil game.
What happens next is that you'll be shown a message on your screen or sent an email that demands payment of a ransom in return for a decryption code so that you can unlock your files and system. Some variants of this ransom virus simply leave a "help recover files.txt" document with instructions on how to get your files back. The message states the following:
Hi, What happened to your files?
All your files were protected by a strong encryption with RSA-2048
More information about the encryption keys using RSA-2048 can be found heres https://en.wikipedia.org/RSA
What does this mean?
This mean that the structure and data within your files have been irrevocably change and only we can help you to restore it.
How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 - public and private
All your files were encrypted with the public key, which has been transferred to your computer via internet.
Decrypting of your files is only possible with the help of the private key and decrypt program which is on our server
You can buy our tool with private key that will recover all your files. It cost's 4 bitcoins and you need send it to bitcoin address [edited]. 1 bitcoin ~= 240 US $.
You can make bitcoin payment without any bitcoin software. For this you can use one of this bitcoin exchanger from this exchange list to send us bitcoins
Cyber criminals create a ransom note on the fly once they know your location and other useful information. Instead of giving you general information on how to buy and send bitcoins they list bitcoin markets available in your country. That's important because not every victim knows how to buy bitcoins. Most probably don't know what it is. And just in case you are not already at breaking point over the thought of never seeing your files again, the ransomware may up the ante by pretending that the FBI or CIA (depending on which country you are in) has sent the ransom note. It will tell you that you have been caught looking at illegal sites or downloading pirated files or software – and that only by paying will you be let off the hook.
Ready to grab your credit card? Stop right there. For one thing the CIA simply doesn't operate this way and no reputable national law enforcement agency would simply charge you for accessing websites or downloads if they were truly illegal. The second reason by you shouldn't hand over any money is that numerous people do – and numerous people don't receive a decryption code. So where does that leave you?
What should I do if I've been infected?
It's easy to say, but try not to panic. And whatever you do, don't pay the ransom unless the encrypted files are very important and you can't afford to lose them. If the encrypted files are not very important or you don't have money to pay the ransom, you can remove try to restore your files (at least some of them) using Shadow Explorer, Recuva and some other specialized tools listed below. Please note that even of you decide to pay the ransom there's really no guarantee that cyber crooks will recover your files.
If you have any questions, please leave a comment below. Last, but not least, if there's anything you think I should add or correct, please let me know. It might be a pain but the issue needs to be dealt with – and the way to do it is by not giving in, not paying up and not letting the attackers win.
Written by Michael Kaur, http://deletemalware.blogspot.com
Step 1: Removing "help recover files.txt" and related malware:
Before restoring your files from shadow copies, make sure that this ransomware is not running. You have to remove this malware permanently. Thankfully, there are a couple of anti-malware programs that will effectively detect and remove this malware from your computer.
1. First of all, download and install recommended anti-malware scanner. Run a full system scan and remove detected malware.
2. Then, download ESET Online Scanner and run a second scan to make sure there are no other malware running on your computer.
That's it! Your computer should be clean now and you can safely restore your files. Proceed to Step 2.
Step 2: Restoring files encrypted by "help recover files.txt" virus:
Method 1: The first and best method is to restore your files from a recent backup. If you have been regularly performing backups, then you should use your backups to restore your files.
Method 2: Try to restore previous versions of files using Windows folder tools. To learn more, please read Previous versions of files.
Method 3: Using the Shadow Volume Copies:
1. Download and install Shadow Explorer. Note, this tool is available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8.
2. Open Shadow Explorer. From the drop down list you can select from one of the available point-in-time Shadow Copies. Select drive and the latest date that you wish to restore from.
3. Righ-click any encrypted file or entire folder and Export it. You will then be prompted as to where you would like to restore the contents of the folder to.
Hopefully, this will help you to restore all encrypted files or at least some of them.