A new ransomware has started to become seen on various computer support forums that encrypts your data and then appends the helpme@freespeechmail.org string to the filename. We believe this infection is part of a ransomware engine that different affiliates utilize, but with their own payment email addresses. When a computer becomes infected by this family of malware, the victim will be assigned a unique ID. This ID and the associated ransom email address will then be appended to any files that are encrypted. For example, if an infected user received an ID of 4126721512 and a file called baseball.jpg is encrypted, the filename would become baseball.jpg.id-4126721512_helpme@freespeechmail.org. This infection also changes the Windows wallpaper to an image, as shown above, that contains instructions on how to pay for the decrypter. Thankfully, Kaspersky Lab has a utility called RakhniDecryptor that is able to brute force the decryption key for the helpme@freespeechmail.org ransomware and other variants.
To use RakhniDecryptor, you must first download it directly from Kaspersky's site. Though there may be other sites hosting this tool, it is strongly suggested that you only download it only from Kaspersky as they are routinely updating it for new members of this ransomware family. Once you have downloaded RakhniDecryptor, you should double-click on the rakhnidecryptor.exe filename to start the program. When the program starts you will be shown the start screen as seen below.
If you need to scan Network drives that may have encrypted files, you can click on the Change Parameters option and put a checkmark in Network Drives. When in these settings, you should not put a checkmark in the Delete crypted files after decryption button unless you are 100% sure that the tool can properly decrypt your files.
When you have finished, you can press the OK button and then click the Start Scan button. You will then be prompted to select an encrypted file. As the program has not been 100% fully updated to support the helpme@freespeechmail.org variant, you need to enter *.* in the file name field and then press enter on your keyboard. This will then force RakhniDecryptor to show any file type, including the freespeechmail.org encrypted files. Once you select an encrypted file, you will receive a warning that the brute force process can take many hours if not days. Press OK on this warning and the program will begin to brute force the password. If it is successful it will then scan the rest of your drives for related files and decrypt them as well. When it has finished, it will display a report showing how many files have been decrypted.
RakhniDecryptor is able to decrypt files that have been encrypted and renamed to the following filenames:
<filename>.<original_extension>.<locked>
<filename>.<original_extension>.<kraken>
<filename>.<original_extension>.<darkness>
<filename>.<original_extension>.<nochance>
<filename>.<original_extension>.<oshit>
<filename>.<original_extension>.<oplata@qq_com>
<filename>.<original_extension>.<relock@qq_com>
<filename>.<original_extension>.<crypto>
<filename>.<original_extension>.<helpdecrypt@ukr.net>
<filename>.<original_extension>.<pizda@qq_com>
<filename>.<original_extension>.<dyatel@qq_com>
<filename>.<original_extension>_crypt
<filename>.<original_extension>.<nalog@qq_com>
<filename>.<original_extension>.<chifrator@qq_com>
<filename>.<original_extension>.<gruzin@qq_com>
<filename>.<original_extension>.<troyancoder@qq_com>
<filename>.<original_extension>.<encrypted>
<filename>.<original_extension>.<cry>
<filename>.<original_extension>.<AES256>
<filename>.<original_extension>.<enc>
<filename>.<original_extension>.<coderksu@gmail_com_id371>
<filename>.<original_extension>.<coderksu@gmail_com_id372>
<filename>.<original_extension>.<coderksu@gmail_com_id374>
<filename>.<original_extension>.<coderksu@gmail_com_id375>
<filename>.<original_extension>.<coderksu@gmail_com_id376>
<filename>.<original_extension>.<coderksu@gmail_com_id392>
<filename>.<original_extension>.<coderksu@gmail_com_id357>
<filename>.<original_extension>.<coderksu@gmail_com_id356>
<filename>.<original_extension>.<coderksu@gmail_com_id358>
<filename>.<original_extension>.<coderksu@gmail_com_id359>
<filename>.<original_extension>.<coderksu@gmail_com_id360>
<filename>.<original_extension>.<coderksu@gmail_com_id20>
<filename>.crypt@india.com.random_characters>
<filename>.<original_extension>.<hb15>
<filename>.<original_extension>.id-<id>_helpme@freespeechmail.org.
If your files become encrypted by any of the above ransomware variants, please do not pay the ransom. Instead you should try this tool first as you may be able to recover your files for free. As always if you need any help with this tool, do not hesitate to ask.
Comments
StEliosGR - 8 years ago
Question.
I choose any encrypted file on my PC?
And after i choosed and found the password the utility decrypt all the other files automaticaly?
Lawrence Abrams - 8 years ago
Correct. Select an encrypted file and it will try and brute force the password. If it can find a password, it will then use it to decrypt the rest of your files.
TheJokerz - 8 years ago
I am glad to see that one of these anti virus company is fighting the good fight.
shoricelu - 8 years ago
I tried to decrypt helpme@freespeechmail.org and it did find the password, decoded files but the JPEG file (I only had JPEG files needed) cannot be accessed. Preview not available. CAnnot open files. Any help? Something Im doing wrong? Thank you for the good work.
Lawrence Abrams - 8 years ago
So I understand, it was not able to decrypt jpg files, but it did decrypt everything else? Are talking about files with the .jpeg or .jpg extension, or both?
shoricelu - 8 years ago
I dont needed anything else. So i moved the encoded .JPG files to a USB drive (might this be a problem?) and then tried to decode. Didnt try on the infected computer neither on any other files. Thanks for the swift reply :))))
Lawrence Abrams - 8 years ago
It should have scanned the removable drives as well. Let me see if I can have someone help who is more familiar with the tool.
B-boy/StyLe/ - 8 years ago
Please make sure that you have enough free disk space available or the tool will fail to decrypt the files. Also, dont rename the files to change their extensions yourself. The tool can decrypt files only in case of weak random generator on the malware side (the key can be different for the same extension of the encrypted files). In other words, there is no 100% guarantee that if a friend of yours was able to successfully decrypt his/her files using this tool it will be successful for you as well.
shoricelu - 8 years ago
I have enough space. Didnt made any extension changes. The tool said Password found. And the decoded files are unreadable.
TheNext - 8 years ago
Hello friends, unfortunately my personal PC was infected. Im not sure how Ive got it but i think it was by email. Now Im trying to recover my files. My question is how PCs are infected with this? I ask because I use Teamviewer (remote desktop app) to connect my PC at work and my personal PC. I am afraid that I can infect the company network or Ive already done it :( . How long after infection, the malware start to encrypt the files? Thanks all of you for your posts, they help a lot. I am sorry for my bad English.
Lawrence Abrams - 8 years ago
We have not found a dropper for this so unfortunately we are not sure how a computer become infected.
Agroplus - 8 years ago
Hi,
Sorry for disturb, but I need help. I have MS ACCESS files on my PC, that are infected by ransomware helpme(at)freespeechmail.org
i dont have any backup. I try with kaspersky rakhnidecryptor but it doesnt recognize mdb files.
i cant use shadow explorer because i use win xp sp3 and it doesnt work on it.
help if you can, please.
Agroplus - 8 years ago
<p>Hi, Sorry for disturb, but I need help. I have MS ACCESS files on my PC, that are infected by ransomware helpme(at)freespeechmail.org i dont have any backup. I try with kaspersky rakhnidecryptor but it doesnt recognize mdb files. i cant use shadow explorer because i use win xp sp3 and it doesnt work on it. help if you can, please.</p>
Lawrence Abrams - 8 years ago
<p>What happens if you do the trick I mentioned in the article to show all files and select a mdb file?</p>
Agroplus - 8 years ago
<p>I can browse file with *.* but kaspersky Rakhnidecryptor doesnt recognize .mdb files.</p>
Lawrence Abrams - 8 years ago
<p>Unfortunately there is nothing we can do then. I will see if I can ping the author of the tool to include these additional files</p>
Agroplus - 8 years ago
Thank you Grinler, to trying. It is very important to me.
florin1 - 8 years ago
Hi,
In a hurrry to decrypt files encrypted (..._helpme @ freespeechmail.org) by this virus I runned rakhnidecryptor on 3 computers, first one, from 1 to 300000, second from 300000 to 600000 and the last the rest to 1000000. It finaly finished but no password was found.
Any ideas?
Lawrence Abrams - 8 years ago
Unfortunately in some cases the password cannot be found
krijur - 8 years ago
Hello.
Few days ago I was a victim of virus helpme@freespeechmail.org. All my files were decrypted so I took above mentioned steps and used RakhniDecryptor. In settings I didnt check delete crypted files after decryption so after decryption besides decripted files I still had files with helpme@freespeechmail.org extension. So I once again started RakhniDecryptor ( because I thought that I still have some decrypted files) This time I check delete crypted files after decryption . After RakhniDecryptor decrypted my files once again, decrypted files were deleted but than I find big problem.... all my files ( jpg, word, excell...) are now corrupted and I can not open it.... Im desperate now, does anybody know how to help me. ( sorry for my english)
TemplarLord - 8 years ago
Hi Grinler,
awesome that Kaspersky made this tool. I have 2 clients now who were infected by above-mentioned virus and both lost a lot of data. Some of the most important data were databases with a .FDB extension. Could you ask the Kaspersky guys if they can look into it as well as .MDB for Agroplus?
Thanks bro
mdaemon - 8 years ago
Hi,
I have to thank you so much who wrotes this article and Kaspersky who made this tool since after 2 days it recovered successfully almost all my crypted files.
Andrea
Lawrence Abrams - 8 years ago
Glad it worked for you!
TemplarLord - 8 years ago
Hi guys,
the utility manages to decrypt all files regardless of extension. The only difference being that you cant select, for example, an .FDB file against which the utility will use its brute-forcing capabilities.
I managed to get all the files back, including the ones located on network storage. Thanks goes to BleepingComputers and its users and of course Kaspersky; you guys were made in the image of the gods. :)
MarkusWNi - 8 years ago
Hi Guys,
i´ve the same, damn, issue with this freespeech thing.
im actually running the Kaspersky RakhniDecryptor Tool in the affected Server, its still running for one of the encrypted files.
Is it possible to do the scan AND decryption for the whole server at one time or is it possible to do it for each single file?
Kind regards,
Markus
TemplarLord - 8 years ago
Hi MarkusWNi,
they way it works is:
1. Before the scan you specify which locations you want the utility to locate and decrypt encrypted files via the parameters button.
2. Once you start scanning, the utility asks you for one encrypted file which the utility will try to recover the decryption key for(this part is not best described in the utility).
3. The utility will notify you once it finds the correct decryption key and then it will decrypt all the data you specified in the first step.
Itll take some time, mostly depending on your CPU speed. My scan took 2 days and 8 hours on a AMD quad-core machine, and the correct decryption key was number 660,000 something-something.
When you have the correct decryption key you can do subsequent scans a lot faster by specifying some additional parameters when staring the utility via CLI. This is described better on the Kaspersky utility webpage, step 2 ( http://support.kaspersky.com/us/viruses/disinfection/10556 ). You can review the log for the correct number which the utility saves to the root of drive C:\.
MarkusWNi - 8 years ago
Hi TemplarLord,
thank you for your Answer, helped me a lot.
The Scan took 7 Hours but we were able to crack the password, now we will continue to decrypt all the other files.
Works a lot faster on a 4-core Intel CPU with HT :)
Thank you very much !
Kind regards
Markus
TemplarLord - 8 years ago
Thats great bro, and yeah I bet Intel does it faster. :)
Hope you decrypt all your files without too much hassle. Kaspersky really did a great job.
nikosang - 8 years ago
Hello people
Thank you very much for your efforts. I got infected with the above mentioned ransomware and your help was precious for me. Right now I am decrypting and most of the files tested are OK! I hope it continues the same way for the next 30 hours that seems the tool will need to decrypt everything.
novator - 8 years ago
Hi i have used RakhniDecryptor on files encrypted with helpme@freespeechmail.org and it worked. But every decrypted image is currupted. It is needed to run this tool on infected system or can I run it on any other machine (faster one)?
mdaemon - 8 years ago
Hello novator,
I connected the hdd with the crypted files as secondary one to a faster pc and it worked successfully
TemplarLord - 8 years ago
Hey bro,
as mdaemon said, it shouldnt matter. So long as the utility sees the encrypted files it should decrypt them. Open up a new thread on the forums and post the log which was saved in drive C:\, it should help clarify the issue.
novator - 8 years ago
Thanks for reply. It is really working. No matter what computer you are using. The problem was that i tried to decrypt JPG image and I think that the tool is not able to recognize successfully decrypted image. So I tried it on word (.doc) document and bang. it found correct password that is working for all files. So my advice is NOT use jpg file for guessing password.
Another hint is that you can select word document with suffix helpme@freespeechmail.org by default.
Guys from Kaspersky are really great.
Thoro - 8 years ago
Im probably slammed by a new variant of this ransomware.
The file name have this form:
WP_20151023_005.jpg.id-3660246556_email_info@cryptedfiles.biz
I tried the Karspesky tool, and after a couple of hours, it claim to find the key, and tell me that successfully decrypted the file, but unlikely the file remain unusable.
I have either some ciphered and not ciphered files to be compared. Can be useful to do something else ? Thanks
jjorge - 8 years ago
Hello Thoro,
I think so, but you had tried with other of file type, for example; .txt
Regards.
dimxx24 - 8 years ago
Hi Grinler
I've got these files encrypted with this virus.
I ran Rakhnidecrypter and it says the password has been found successfully.
I let it finish the scan, but when the files are decrypted, the files do not work.
I try to open the decrypted files (in this case, a jpg file) and the file is not working.
Any ideas/help?
TemplarLord - 8 years ago
Hi dimxx24,
Jesus Christ, this ransomware is still active? That's just peachy, but we have the decryptor which hopefully still works(in the case that the virus was updated).
Try selecting another file when it asks you for one, preferably with another extension. I vaguely remember someone having an issue with a certain file type not working okay for the decryption process.
If still no luck, open up a thread on the forum ( https://www.bleepingcomputer.com/forums/f/239/ransomware-tech-support-and-help/ )and post the log which should be located in your C:\ drive.
dimxx24 - 8 years ago
Hi TemplarLord,
Thanks for the reply.
Yes it looks like it's still alive :(
I have tried 3 different files with the same result.
Unfortunately I have no other file types, only .jpg.
I have opened a thread in the forum, let's hope someone will shed some light into this!
Again, thanks for the reply and the heads up.
joanaaraujo - 7 years ago
Hi, some files was encrypts by helpme@freespeechmail.org. I install Kaspersky RakhniDecryptor but when choose the file gives me an error "unsupported encrypted file type".
Can you help please?