What is * HELP_HELP_HELP * .hta? Should I delete it?

What does the * HELP_HELP_HELP * .hta file mean?

The * HELP_HELP_HELP * .hta file is a ransom note, which the latest versions of Cerber ransomware leave on infected systems. The virus encrypts all files in the system, removes copies of volumes in the background, and then saves these files on the desktop to ensure that the victim receives information about the infection. The name of this note with ransom is random, because the virus assigns any set of characters to each victim, and as a result, the victims will receive ransom files that have the following names: HELP_HELP_HELP [random characters] .hta. File extension – HTA – means the HTML Application, which means that these files are usually opened by Internet Explorer. They are usually coded using VBScript or JScript. If you open such a file, it will behave like an executable file. When it opens, the HELP_HELP_HELP.hta file launches a program that is named CERBER RANSOMWARE: This program greets the user with the standard words for the Cerber virus:

Cannot you find the necessary files?
Is the content of your files not readable?
It is normal because the files names and the data in your files have been encrypted by „Cerber Ransomware”.

The message then explains that the files have been encrypted by the malware, and currently the only tools that can restore these files are stored on the cybercriminal servers. Criminals say that the damage is reversible, but in order to recover the encrypted data, the victim must buy special decryption software called “Cerber Decryptor”. The price of the decrypter varies depending on the version of the virus, but cybercriminals usually demand 1 or more Bitcoins. Bitcoins should be transferred to the supplied Bitcoin wallet – this is the only way to send money to criminals, because payment in the Bitcoin system ensures anonymity.

After infiltration, Cerber’s malware also changes the desktop background to the HELP_HELP_HELP [random characters] .jpg image, which is a shortened version of the note with a ransom demand. This explains that the victim’s files have been encrypted and that more information can be obtained in the * HELP_HELP_HELP * .hta file. We must emphasize that this version of the virus does not add the virus version number on the desktop. That means it belongs to the Red Cerber category because the text is highlighted in red rather than light green. The rest of the message informs that the victim must install Tor Browser to open the “personal page”, through which you can access via the given .onion link.

How do you protect yourself from the * HELP_HELP_HELP * .hta file on your PC?

If you do not want to find the * HELP_HELP_HELP_HELP * .hta file in your computer system on a random day, you should take action in advance to protect your system from ransomware viruses. Unlike simple ransomware, Cerberus does not use spam as the only distribution method. It is a highly advanced virus that spreads via infected ad networks, websites. However, recent Cerbera spam campaigns provide infectious .zip archives with a Word file in the middle. The document contains a malicious script that is set up as soon as the victim allows the macros to download and run the malware. The most reliable tool that will help you protect against Cerber attacks is updated anti-malware software. Do not forget to update it from time to time by downloading the necessary virus definitions and expanding its database. In the event that your computer gets infected by the malware, you will lose all your files. Therefore, backups are extremely important, you should create them from time to time and keep them away from your computer.

How do you delete * HELP_HELP_HELP * .hta from an infected PC?

Although you can simply delete the * HELP_HELP_HELP * .hta file from the system, nei means that it will be a sufficient step. This file was of course created by a dangerous virus, so you should delete it. You can uninstall the virus and make sure * HELP_HELP_HELP * .hta will be removed by running a system scan with the help of anti-spyware software.

Comments