A new ransomware has started to become seen on various computer support forums that encrypts your data and then appends the helpme@freespeechmail.org string to the filename.  We believe this infection is part of a ransomware engine that different affiliates utilize, but with their own payment email addresses.  When a computer becomes infected by this family of malware, the victim will be assigned a unique ID. This ID and the associated ransom email address will then be appended to any files that are encrypted. For example, if an infected user received an ID of 4126721512 and a file called baseball.jpg is encrypted, the filename would become baseball.jpg.id-4126721512_helpme@freespeechmail.org.  This infection also changes the Windows wallpaper to an image, as shown above, that contains instructions on how to pay for the decrypter. Thankfully, Kaspersky Lab has a utility called RakhniDecryptor that is able to brute force the decryption key for the helpme@freespeechmail.org ransomware and other variants.

To use RakhniDecryptor, you must first download it directly from Kaspersky's site. Though there may be other sites hosting this tool, it is strongly suggested that you only download it only from Kaspersky as they are routinely updating it for new members of this ransomware family. Once you have downloaded RakhniDecryptor, you should double-click on the rakhnidecryptor.exe filename to start the program. When the program starts you will be shown the start screen as seen below.

 

If you need to scan Network drives that may have encrypted files, you can click on the Change Parameters option and put a checkmark in Network Drives.  When in these settings, you should not put a checkmark in the Delete crypted files after decryption button unless you are 100% sure that the tool can properly decrypt your files.

 

 

When you have finished, you can press the OK button and then click the Start Scan button.  You will then be prompted to select an encrypted file. As the program has not been 100% fully updated to support the helpme@freespeechmail.org variant, you need to enter *.* in the file name field and then press enter on your keyboard. This will then force RakhniDecryptor  to show any file type, including the freespeechmail.org encrypted files. Once you select an encrypted file, you will receive a warning that the brute force process can take many hours if not days.  Press OK on this warning and the program will begin to brute force the password. If it is successful it will then scan the rest of your drives for related files and decrypt them as well. When it has finished, it will display a report showing how many files have been decrypted.

RakhniDecryptor is able to decrypt files that have been encrypted and renamed to the following filenames:

<filename>.<original_extension>.<locked>
<filename>.<original_extension>.<kraken>
<filename>.<original_extension>.<darkness> 
<filename>.<original_extension>.<nochance> 
<filename>.<original_extension>.<oshit> 
<filename>.<original_extension>.<oplata@qq_com>
<filename>.<original_extension>.<relock@qq_com>
<filename>.<original_extension>.<crypto>
<filename>.<original_extension>.<helpdecrypt@ukr.net>
<filename>.<original_extension>.<pizda@qq_com>
<filename>.<original_extension>.<dyatel@qq_com>
<filename>.<original_extension>_crypt
<filename>.<original_extension>.<nalog@qq_com>
<filename>.<original_extension>.<chifrator@qq_com>
<filename>.<original_extension>.<gruzin@qq_com>  
<filename>.<original_extension>.<troyancoder@qq_com>
<filename>.<original_extension>.<encrypted>
<filename>.<original_extension>.<cry>
<filename>.<original_extension>.<AES256>
<filename>.<original_extension>.<enc>
<filename>.<original_extension>.<coderksu@gmail_com_id371>
<filename>.<original_extension>.<coderksu@gmail_com_id372>
<filename>.<original_extension>.<coderksu@gmail_com_id374>
<filename>.<original_extension>.<coderksu@gmail_com_id375>
<filename>.<original_extension>.<coderksu@gmail_com_id376>
<filename>.<original_extension>.<coderksu@gmail_com_id392>
<filename>.<original_extension>.<coderksu@gmail_com_id357>
<filename>.<original_extension>.<coderksu@gmail_com_id356>
<filename>.<original_extension>.<coderksu@gmail_com_id358>
<filename>.<original_extension>.<coderksu@gmail_com_id359>
<filename>.<original_extension>.<coderksu@gmail_com_id360>
<filename>.<original_extension>.<coderksu@gmail_com_id20>
<filename>.crypt@india.com.random_characters>
<filename>.<original_extension>.<hb15>
<filename>.<original_extension>.id-<id>_helpme@freespeechmail.org.

If your files become encrypted by any of the above ransomware variants, please do not pay the ransom. Instead you should try this tool first as you may be able to recover your files for free. As always if you need any help with this tool, do not hesitate to ask.