What is _HELP_INSTRUCTION.TXT? Should I remove it?
_HELP_INSTRUCTION.TXT foreshadows the presence of ransomware
_HELP_INSTRUCTION.TXT file is a text document used by CryptoMix family of ransomware[1]. The original version appeared in 2016. Since then it gained the title of fastly evolving threat. Since the appearance, the developers released multiple versions. Mos recent versions append the following extensions:
- Coban virus
- CryptoShield (1.0, 2.0 versions)
- Empty ransomware
- Error virus
- Exte virus
- Mole file-encrypting threat (and its subsequent versions: Mole02 and Mole03)
- Noob malware
- OGONIA malware
- Revenge malware
- Shark ransomware
- x1881 virus
- XZZX crypto-malware
- Zayka file-encrypting threat
The fraudsters of this malware seek to gain the notorious authority in the cyber market. While, in the beginning, their malware versions were quite weak, within time, CryptoMix became a cyber issue.
The latest versions, one of them is XZZX malware, do not exhibit any astonishing new features. In fact, the developers stick to using the same .txt file for presenting their demands, except that each version indicates different email addresses.
The malware also keeps using11 RSA-1024 public keys to encode data. Luckily, Avast cyber security experts[2] have released the decrypter which works with some of CryptoMix versions. Before you use the decrypter, make sure _HELP_INSTRUCTION.TXT removal and eradication of the malware are complete.
While the majority of this malware group versions do not differ much from each other, some versions display fake Windows notifications during the infection.
Distribution of the file
Since the file is generated by the malware, it spreads the same channels as the threat. Usually, CryptoMix versions are distributed by RIG exploit kit which targets specific vulnerabilities in browsers. Likewise, a victim, who failed to update it on time may be diverted to a website, which asks to download the executable of the malware disguised in a legitimate file.
Likewise, some of CryptoMix versions also manifested a feature to spread as “the HoeflerText wasn’t found”[3] pop-ups. Thus, be wary of such technique and update system programs as well as the browser in time.
Do not install Adobe Flash updates from random sites. Note that when a genuine update is issued, the notification appears in Windows Action Center. Now let us discuss options to remove _HELP_INSTRUCTION.TXT file and the very malware.
Eliminating _HELP_INSTRUCTION.TXT and the ransomware
You will require automatic assistance to remove CryptoMix virus and its related components. In that case, FortectIntego or Malwarebytes or other malware elimination utility might come in handy.
It is not surprising if you might encounter malware removal difficulties. Reboot the system in Safe Mode and then launch a security utility to finish _HELP_INSTRUCTION.TXT removal and the elimination of CryptoMix virus version. Only after the elimination, you may perform data recovery. Download the decrypter from here.
- ^ Ransom.CryptoMix. MalwarebytesLabs. The Security Blog from Malwarebytes.
- ^ CryptoMix: Avast adds a new free decryption tool to its collection. Avast Security Blog.
- ^ Tom Spring. ‘Hoeflertext’ Popups Target Browsers With Rat and Locky Ransomware. ThreadPost. The first stop for security news.