'Help@decryptservice.info' Ransomware

The 'Help@decryptservice.info' Ransomware is an encryption Trojan that is derived from the Bandarchor Ransomware, which served as a basis for the Centurion_Legion Ransomware as well. Computer users may receive spam emails loaded with files that have a double extension and are designed to install the 'Help@decryptservice.info' Ransomware. Researchers add that they have seen ads on adult rated sites and online stores that include a script that installs the 'Help@decryptservice.info' Ransomware Trojan as well. The crypto malware at hand is not a rework of Bandarchor but rather an adapted version that may avoid detection by AV scanners and heuristic models. As you may know, the creators of decryption Trojans test their work on the Google's VirusTotal platform before going 'live' and distribute their product. That way, threats like the 'Help@decryptservice.info' Ransomware and the Al-Namrood Ransomware are able to infect many users before AV vendors catch up to them.

How the 'Help@Decryptservice.info' Ransomware Works

Successful infiltration of the 'Help@decryptservice.info' Ransomware results in having to deal with encrypted files. The 'Help@decryptservice.info' Ransomware Trojan is designed to encrypt data using the AES-256 cipher. Data containers stored locally and on removable drives connected to the computer are likely to be corrupted by the 'Help@decryptservice.info' Ransomware. Reports from compromised users reveal that the Trojan aims to encode recently accessed files first and then proceed to other objects. For example, 'River birch.png' is transformed to River birch.png.id-[8 random characters]_help@decryptservice.info. The 'Help@decryptservice.info' Ransomware can encipher the following file types:

.R3D, .RWL, .RX2, .P12, .SBS, .SLDASM, .WPS, .SLDPRT, .ODC, .ODB, .OLD, .NBD, .NX1, .NRW, .ORF, .PPT, .MOV, .MPEG, .CSV, .MDB, .CER, .ARJ, .ODS, .MKV, .AVI, .ODT, .PDF, .DOCX, .GZIP, .M2V, .CPT, .RAW, .CDR, .CDX, .1CD, .3GP, .7Z, .RAR, .DB3, .ZIP, .XLSX, .XLS, .RTF, .DOC, .JPEG, .JPG, .PSD, .ZIP, .ERT, .BAK, .XML, .CF, .MDF, .FIL, .SPR, .ACCDB, .ABF, .A3D, .ASM, .FBX, .FBW, .FBK, .FDB, .FBF, .MAX, .M3D, .DBF, .LDF, .KEYSTORE, .IV2I, .GBK, .GHO, .SN1, .SNA, .SPF, .SR2, .SRF, .SRW, .TIS, .TBL, .X3F, .ODS, .PEF, .PPTM, .TXT, .PST, .PTX, .PZ3, .MP3, .ODP, .QIC, .WPS.

The Contact Information Provided by the 'Help@Decryptservice.info' Ransomware

The modus operandi of the ransomware's author did not change, and victims are welcomed to write to Help@decryptservice.info or Shigorin.vitoli@gmail.com. Both email addresses are used to contact the ransomware operator with their victims and relay instructions on how to make payment. The contact information is left as 'HOW TO DECRYPT.txt' on the desktop and reads:

'Attention!
Your files are encrypted with AES 256 algorithm!
Decoding is not possible without our decoder and universal key! In order to start the process of decoding the files, you need to contact us on the below contacts, with the subject: "1 am willing to pay for the decode my files" , attaching an example of an encrypted file
- Primary email: help@decryptservice.info
_ Secondary email: shigorin.vitolid@gmail.com
- Telegram: @Decryptservice
we encourage you to contact us for all three contacts!
- Very important: we recommend to write email us with gmail or yahoo address, otherwise your email may not reach us ,check the spam folder, probably our response email is in it!
Do not try to decrypt files by third-party decipherers, otherwise you will spoil files!'

You can Find a Channel on the Telegram Messaging Service that is Dedicated to Victims of the 'Help@Decryptservice.info' Ransomware

Evidently, the 'support team' behind the 'Help@Decryptservice.info' Ransomware likes to 'help' users and several communication channels are dedicated to helping users purchase and transfer Bitcoins to the wallet of the ransomware operators. Computer users are not advised to communicate with the cyber extortionists and may want to take another approach. Threats such as the 'Help@Decryptservice.info' Ransomware and the 'Recuperadados@protonmail.com' Ransomware can be removed with the help of a trusted anti-malware solution. Recovery of your data is possible through services like Google Drive and Dropbox if you have them installed. In addition, backup images and archives allow for fast and reliable recovery of your data, which cannot always be said for cloud storage services.