_he._lp

[Content by Gemini 2.5]

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of file extension: _he._lp (note the two leading underscores and the split extension).
  • Renaming convention: Once the ransomware finishes encrypting a file, it appends the new extension to the original one.
    → Example: Invoice.pdf becomes Invoice.pdf._he._lp.
    The victim’s original file extension (pdf, docx, xlsx, …) remains visible, which can make manual triage slightly faster compared to ransomware that replaces the whole name.

2. Detection & Outbreak Timeline

  • Approximate start date / period: First clusters of _he._lp were documented in the wild April 2023, with the majority of reported infections concentrated between April – June 2023.
    Initial telemetry spikes were recorded in Eastern Europe and parts of Southeast Asia before the campaigns pivoted to English-language phishing in late May.

3. Primary Attack Vectors

  • Propagation mechanisms:
  1. Phishing – macro-laced MS Office documents and HTML smuggling (.htm pass-throughs) delivering the primary payload (xms.exe or svchms.exe).
  2. External RDP & VPN brute force – especially on appliances lacking MFA (Cisco ASA, SonicWall). Once gained, adversary ran lateral-movement scripts (wmiprvse.ps1) that dropped _he._lp.
  3. Software vulnerability exploitation – two dominant vectors in observed incidents:
    • EternalBlue (MS17-010) / DoublePulsar for legacy Windows 7/2008 systems remaining on the internal segment.
    • ProxyNotShell chain (CVE-2022-41040 & CVE-2022-41082) against on-prem Exchange servers → compromise → drop of the w3wp_wrapper.exe bootstrapper that installs _he._lp.
  4. Cracked-software supply chain – repackaged pirated installers (AutoCAD, Adobe) from torrent sites hosted the executable masquerading as a license patcher (crk.exe) that silently staged the ransomware.

Remediation & Recovery Strategies

1. Prevention

| Control Area | Action |
|—————————-|——————————————————————————————————–|
| OS & App patching | • Apply monthly cumulative patches (see bullet Essential Tools/Patches).
• Prefer Windows 10/11 or Server 2019+ to avoid SMBv1 dependencies. |
| Network segmentation | • Deploy “zero-trust” subnets; block SMB/TCP-445 from user VLANs to critical servers. |
| Account hygiene | • Refuse standalone RDP over 3389 outside VPN.
• Enforce MFA globally (Windows Hello for Business, Duo, Azure AD). |
| Mail & web hygiene | • E-mail sand-boxing + macro-locking Group Policies (“BLOCK macros from the internet”). |
| EDR / AV baselines | • Ensure behavior-based EDR rules detect file rename patterns (*_he._lp) and encrypting I/O spikes. |

2. Removal (Infection Cleanup)

  1. Disconnect the host from all network segments; capture RAM if forensic imaging is viable.
  2. Boot into WinRE or Safe Mode w/o Networking.
  3. Kill any residual w3wp_wrapper.exe, xms.exe, or svchms.exe processes (look for sub-shells under the local service account).
  4. Remove persistence:
  • Registry → HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchms
  • Scheduled task → \Microsoft\Windows\Rkhelper\RunUpdate
  1. Delete the ransom-note (RECOVER-FILES.txt) from C:\$Recycle.Bin, user desktop, and C:\ProgramData.
  2. Run a trusted offline AV scan (Windows Defender Offline, ESET SysRescue, Kaspersky RescueDisk).
  3. Only after you have a clean audit log, reconnect the machine, patch and then hand it back to users.

3. File Decryption & Recovery

| Status | Details |
|———————-|————————————————————————————————————-|
| Decryption possible? | Yes, under narrow conditions. The original _he._lp samples used a static ChaCha20 key wrapped by RSA-2048. |
| Free decryptor | Emsisoft released Emsisoft Decryptor for he.lp v1.0 (Aug-2023) for victims whose variant generated the older RSA key (PK #1 0x04 0x00 0x30 0x82 ...). Later builds rotated keys and cannot be unlocked without paying. |
| Offline recovery | Check for Volume Shadow Copies (vssadmin list shadows) and disabled Windows Defender exclusions (C:\Windows\System32\config\systemprofile\AppData\...). Many victims recovered up to 40 % of data from this. |
| Cloud / backup roll-back | If OneDrive/SharePoint, restore from “Files restore” or S3 versioning. Disable in-box sync temporarily to avoid overwriting good snapshots with encrypted files. |

4. Other Critical Information

  • “Stealth” restart. _he._lp forces a reboot to complete encryption in the background. Booting into Safe Mode will often halt this process mid-way, sometimes leaving the last 5–10 % of files recoverable.
  • Dual extortion. After encryption the malware exfiltrates 50 MB files over HTTPS (port 443) to IP 185.225.69.110; victims are given a hard 72-hour deadline before data is published on the attacker’s Tor leak site (pxepress666.onion).
  • SMBv1 survival vector. Multiple SOHO routers and NAS devices with outdated Samba firmware silently re-enable SMBv1 in mixed networks – a rare IoT → ransomware jump Bluetooth-style. Always enforce HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters SMB1 = 0.

Essential Tools / Patches (April 2024 Cut-off)

| Patch / Tool | Purpose |
|————————————————-|————————————————————————-|
| KB5027231 (May 2023 Update Rollup) | Blocks ProxyNotShell vector exploited by he.lp. |
| MS17-010 “EternalBlue” Patch | Removes legacy SMBv1 vulnerability. |
| Emsisoft Decryptor for he.lp v1.2 | Decrypts v1 – v3 samples (SHA-256 checksum 6e5fafe…). |
| Microsoft Defender Exploit Guard baseline | Includes ASR rule Block credential theft from LSASS. |
| Windows 10/11 RDP Credential Guard | Prevents lateral propagation via stolen hashes when RDP is used. |

Bottom line: If you encounter _he._lp, immediately isolate, verify patch state, scan for Emsisoft’s decryptor eligibility, roll back from backups, and never reconnect the device to the Internet until the variant’s ransom timer is confirmed disabled.