Remove Text ransomware

Text ransomware is a dangerous malware infection from the Dharma malware family that encrypts files. If your computer is infected, your files will have .[helpdecrypt@msgsafe.io].text added to them. It drops a FILES ENCRYPTED.txt ransom note as well as shows a pop-up one that demands users pay a ransom to get the decryptor.

 

Text ransomware is file-encrypting malware, and it comes from the notorious Dharma malware family. The group has released a lot of ransomware in the last couple of years, and while they are more or less identical, they’re all equally dangerous. You can differentiate which ransomware you’re dealing with by the extension added to encrypted files. This newest version of Dharma malware adds .[helpdecrypt@msgsafe.io].text, hence why it’s known as Text ransomware.

As you likely already noticed, you will not be able to open the encrypted files, unless you use a decryptor on them first. But the issue with that is that the decryptor is in the hands of cyber criminals who are not nice enough to just give it to you. They will try to sell it to you, which is somewhat explained in the ransom note that pops up once files are done being encrypted. The note says that to get the decryptor, you would need to first make contact with the ones operating this malware. helpdecrypt@msgsafe.io is given as the contact email address. If you choose to contact them, you would need to include the ID you’ve been assigned to. However, before you even consider paying the ransom, there’s a few things you should know.

Paying the ransom is never recommended, primarily because it does not guarantee that you will get a decryptor. Remember that you are dealing with cyber criminals, and they will definitely not feel obligated to help you out of the kindness of their hearts. Countless users have paid but received nothing in return. Whether you pay or not is your decision, but you should consider all the risks before making a decision.

If you don’t have backup, your only option may be to wait for a free decryptor to be released by malware researchers. One is not currently available, but back up encrypted files and occasionally check NoMoreRansom for a free decryption tool.

If you do have backup, make sure you remove Text ransomware first. Otherwise, your backed up files would become encrypted as well.

Ransomware distribution methods

Ransomware can infect a computer in a variety of ways, including malspam attachments, fake updates, torrents, ads, etc. You’re much more likely to pick up a malware infection if you have bad browsing habits.

Malspam attachments are one of the main ways users pick up various malware infections. Malicious actors purchase leaked email addresses from various hacker forums and use them to launch malspam campaigns that contain malicious email attachments. As long as you don’t open the attachments, the emails are harmless enough. However, the moment you open the attachment and enable macros, the ransomware will be initiated and start encrypting your files. Fortunately, you can usually recognize malspam emails from the abundance of grammar/spelling mistakes and the random senders’ email addresses. If you know what to look for, malspam is usually very obvious. But just to be sure, it’s a good idea to scan all unsolicited email attachments with anti-virus software or VirusTotal.

Using torrents is also very risky because of malware. Sites offering torrents are often very poorly regulated, which allows malicious actors to easily upload torrents with malware in them. It’s especially common for torrents for popular entertainment content to have malware in them. If the fact that pirating is essentially stealing content does not discourage you from doing it, then perhaps the risk of ransomware will.

It should also be mentioned how important it is to install updates. System and software vulnerabilities can be used by malware to get in, and all known ones are patched with updates. If possible, enable automatic updates so that you don’t have install anything manually.

Ransomware demands money in exchange for a decryptor

As soon as the ransomware is initiated, it will immediately start encrypting files. It targets photos, videos, documents, etc., and essentially takes them for hostage. All encrypted files will have an extension added to them. While the Dharma ransomware versions are more or less the same, extensions they add are different. Text ransomware adds [helpdecrypt@msgsafe.io].text to encrypted files, which is how you can recognize which files have been affected. The extension also contains your assigned ID, which is unique to each victim. For example, a text.txt file would become text.txt.unique ID.[helpdecrypt@msgsafe.io].text. As you probably noticed, files with that extension will be unopenable.

Once file encryption is complete, you will see a pop-up ransom note. A FILES ENCRYPTED.txt text one will also be dropped. The pop-up ransom note explains that you can start the file decryption process by sending an email to helpdecrypt@msgsafe.io with your assigned ID. The price for the decryptor is not mentioned in the ransom note but it will likely be somewhere between a couple of hundred to a couple of thousand dollars. As we said above, it’s not recommended to pay the ransom because you are not guaranteed a decryptor. The cyber crooks operating this ransomware could just take your money and not send anything in return, as there is nothing stopping them from doing so.

Text ransomware removal

Because ransomware is a very complex malware infection, it’s highly recommended to use anti-virus to delete Text ransomware. If you try to remove Text ransomware manually, you may end up causing even more damage. And do not access backup unless you first get rid of the ransomware because the files would become encrypted otherwise.