Cyber threat analysts discovered a new variant of ransomware which called .Healforyou ransomware. It appends the .healforyou file extension to encrypted file names. This post will provide you a brief summary of information related to this new ransomware virus and how to restore .healforyou files for free.
Images encrypted by .Healforyou file extension ransomware
Immediately after the launch, the .Healforyou ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.x, .zabw, .xpm, .7z, .wp6, .pdd, .pem, .xy3, .jpg, .pfx, .xlsb, .rgss3a, .xar, .zw, .qdf, .sum, .mdbackup, .kf, .wps, .bkp, .rofl, .mrwref, .dbf, .0, .yal, .xx, .rim, .upk, .1st, .blob, .zip, .slm, .xwp, .zi, .xld, .raf, .xlsm, .ppt, .wma, .xlsm, .wps, .arw, .wma, .rw2, .py, .wpw, .wpb, .pef, .das, .pptx, .re4, .r3d, .wb2, .bc7, .fos, .wpt, .sid, .wp5, .cfr, .rwl, .lbf, .nrw, .3dm, .dmp, .wpg, .odb, .cer, .dwg, .psk, .litemod, .bsa, .mp4, .esm, .hkdb, .iwi, .xbplate, .indd, .wpd, .xmmap, .t12, .xf, .bc6, .zip, .png, .sav, .x3f, .dba, .mpqge, .odt, .arch00, .wpe, .wm, .hkx, .ai, .wpl, .rb, .wot, .kdb, .vtf, .sidn, .wdp, .sidd, .icxs, .vdf, .xls, .layout, .ybk, .fpk, .wn, .wav, .avi, .bik, .wpa, .gho, .wpd, .ff, .apk, .wmv, .xls, .x3d, .pkpass, .sb, .cas, .yml, .db0, .xdb, .tor, .map, .eps, .odc, .wbz, .mlx, .xlk, .wire, .w3x, .hvpl, .zdb, .wbd, .p7c, .rar, .menu, .t13, .ibank, .wp4, .crt, .tax, .mddata, .hplg, .vpp_pc, .ysp, .gdb, .pptm, .raw, .wmd, .docx, .xml, .ncf, .sr2, .js, .wmo, .mef, .x3f, .xlsx, .docm, .m3u, .lrf, wallet, .ws, .bay, .mdf, .vpk, .rtf, .bkf, .wmf, .orf, .pst, .big, .xyp, .dng, .m2, .cdr, .syncdb, .ztmp, .jpeg, .webp, .pak, .bar, .doc, .mov, .zif, .css, .wsh, .zdc, .forge, .itm, .wbk, .wbmp, .wbm, .webdoc, .dazip, .sql, .ntl, .crw, .itdb, .itl, .odm, .csv, .wgz, .p12, .xxx, .mdb, .dcr, .lvl, .wcf, .1, .d3dbsp, .fsh, .snx, .xll, .der, .xlgc, .wmv, .ods, .erf, .p7b, .sis, .psd, .txt, .y, .srw, .mcmeta, .xmind, .wp, .vcf, .wsc, .wsd, .2bp, .xdl, .accdb, .dxg, .pdf, .ptx, .desc, .svg, .m4a, .cr2, .vfs0, .z, .3fr, .wp7, .xlsx, .sie, .jpe, .srf, .xbdoc, .wri, .epk, .flv, .kdc
Once a file is encrypted, its extension modified to .healforyou. Next, the ransomware virus creates a file named ‘how_to_back_files.html’. This file contain an information on how to decrypt all encrypted documents, photos and music. You can see an one of the variants of the ransomnote below:
YOUR PERSONAL ID *** ENGLISH ALL YOUR IMPORTANT DATA HAS BEEN ENCRYPTED. The only method of recovering files is to purchase an unique private decryptor. Only we can give you this decryptor and only we can recover your files. For fast data recovery and vulnerability removal, contact us by e-mail: healforyou@outlook.com healforyou@cock.li We guarantee full recovery after payment. To confirm the ability to return files, we decrypt one file for free. Attach to your email 1 test file. In the letter include your personal ID (look at the beginning of this document). We will give you the decrypted file and assign the price for decryption all files. After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions. Attention! Only healforyou@outlook.com or healforyou@cock.li can decrypt your files. Do not attempt to remove the program or run the anti-virus tools. Attempts to self-decrypting files will result in the loss of your data. Modify encrypted files will result in the loss of your data. Decoders other users are not compatible with your data, because each encryption key unique and will result in the loss of your data.
Instructions that is shown below, will help you to remove .Healforyou ransomware as well as restore encrypted files stored on your PC system drives.
Table of contents
- How to remove .Healforyou ransomware virus
- How to decrypt .healforyou files
- How to restore .healforyou files
- How to protect your personal computer from .Healforyou ransomware
How to remove .Healforyou ransomware virus
The following instructions will allow you to remove .Healforyou ransomware virus and other malware. Zemana Anti-malware, Kaspersky virus removal tool and Malwarebytes Anti-malware can detect different types of active ransomware infections and easily remove it from your machine, but they can not recover encrypted documents, photos and music.
Remove .Healforyou ransomware virus with Zemana Anti-malware
We advise using the Zemana Anti-malware. You can download and install Zemana Anti-malware to find out and remove .Healforyou ransomware virus from your PC system. When installed and updated, the malicious software remover will automatically scan and detect all threats present on the computer.
- Click the following link to download the latest version of Zemana Anti Malware (ZAM) for Windows. Save it to your Desktop.
Zemana AntiMalware
164978 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- After the download is complete, please close all software and open windows on your machine. Next, start a file called Zemana.AntiMalware.Setup.
- This will run the “Setup wizard” of Zemana AntiMalware onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Anti-Malware (ZAM) will launch and display the main window.
- Further, click the “Scan” button to start scanning your personal computer for the .Healforyou ransomware virus and other security threats. This process can take some time, so please be patient. While the Zemana AntiMalware program is scanning, you may see how many objects it has identified as threat.
- When finished, Zemana Free will open a list of found threats.
- You may delete threats (move to Quarantine) by simply click the “Next” button. The tool will delete .Healforyou ransomware virus and other kinds of potential threats like malware and potentially unwanted software and move items to the program’s quarantine. After finished, you may be prompted to restart the computer.
- Close the Zemana Anti Malware (ZAM) and continue with the next step.
Use MalwareBytes to remove .Healforyou ransomware
You can remove .Healforyou ransomware automatically with a help of MalwareBytes AntiMalware. We suggest this free malware removal utility because it can easily remove ransomware virus, ad-supported software, malware and other undesired apps with all their components such as files, folders and registry entries.
Click the following link to download MalwareBytes Free. Save it to your Desktop so that you can access the file easily.
327221 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is done, close all apps and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as shown on the image below.
When the installation starts, you will see the “Setup wizard” which will help you set up Malwarebytes on your computer.
Once install is finished, you’ll see window as on the image below.
Now press the “Scan Now” button . MalwareBytes Anti Malware tool will begin scanning the whole personal computer to find out the .Healforyou ransomware and other malware. Depending on your PC, the scan can take anywhere from a few minutes to close to an hour. When a malware, adware or PUPs are found, the number of the security threats will change accordingly. Wait until the the scanning is finished.
After the scan is complete, MalwareBytes will open you the results. You may get rid of threats (move to Quarantine) by simply click “Quarantine Selected” button.
The Malwarebytes will now remove .Healforyou ransomware and other kinds of potential and move items to the program’s quarantine. When the cleaning process is complete, you may be prompted to reboot your computer.
The following video explains few simple steps on how to delete hijacker, adware and other malware with MalwareBytes Free.
Use KVRT to remove .Healforyou ransomware virus from the personal computer
If MalwareBytes anti-malware or Zemana anti-malware cannot remove .Healforyou ransomware, then we recommends to run the KVRT. KVRT is a free removal tool for ransomware viruss, adware, potentially unwanted software and toolbars.
Download Kaspersky virus removal tool (KVRT) on your MS Windows Desktop from the following link.
129278 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the Kaspersky virus removal tool screen as shown on the screen below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button . Kaspersky virus removal tool utility will begin scanning the whole PC to find out .Healforyou ransomware and other trojans and harmful applications. A system scan can take anywhere from 5 to 30 minutes, depending on your machine. While the Kaspersky virus removal tool application is scanning, you may see number of objects it has identified as threat.
Once the scanning is finished, KVRT will show a list of found threats as displayed below.
Next, you need to press on Continue to start a cleaning procedure.
How to decrypt .healforyou files
The ransomnote offers victim to contact the .Healforyou ransomware’s creators via the healforyou@outlook.com or healforyou@cock.li emails in order to decrypt all photos, documents and music. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the authors of the .Healforyou ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your personal files. Especially since you have a chance to restore your documents, photos and music for free using free utilities like ShadowExplorer and PhotoRec.
How to restore .healforyou files
In some cases, you can recover files encrypted by .Healforyou ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .healforyou files with ShadowExplorer
An alternative is to recover .healforyou personal files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were encrypted by .Healforyou ransomware virus. The guide below will give you all the details.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer by clicking on the link below. Save it directly to your MS Windows Desktop.
439619 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, extract the saved file to a directory on your computer. This will create the necessary files as on the image below.
Start the ShadowExplorerPortable application. Now choose the date (2) that you wish to restore from and the drive (1) you wish to recover files (folders) from as on the image below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as displayed below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Recover .healforyou files with PhotoRec
Before a file is encrypted, the .Healforyou ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover software like PhotoRec.
Download PhotoRec by clicking on the following link. Save it to your Desktop so that you can access the file easily.
When the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as displayed in the figure below.
Select a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted documents, photos and music as on the image below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where restored files should be written, then click Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as displayed on the image below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from .Healforyou ransomware
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your personal computer from .Healforyou ransomware virus
Download CryptoPrevent from the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you will be displayed a window where you can choose a level of protection, like below.
Now press the Apply button to activate the protection.
Finish words
Now your PC system should be clean of the .Healforyou ransomware. Remove KVRT and MalwareBytes AntiMalware. We suggest that you keep Zemana AntiMalware (ZAM) (to periodically scan your computer for new malware). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove .Healforyou ransomware from your PC system, then ask for help here.
