CryptoHost Ransomware
The CryptoHost Ransomware is a ransomware Trojan that locks the files in a RAR archive file that is password protected. The CryptoHost Ransomware was recently discovered by PC security researchers. The CryptoHost Ransomware demands a ransom of .33 BitCoin (which at the current exchange rate is about $140 USD) to return the victim's files. However, the CryptoHost Ransomware does not encrypt the victim's files, unlike other ransomware Trojans. Rather, the CryptoHost Ransomware copies the victim's files into a RAR archive and then protects it with a password. This is positive since it means that the password for the encrypted RAR is easy to recover, and the files are returned to the victim easily. This makes the CryptoHost Ransomware significantly less threatening than other, more common ransomware Trojans that encrypt the victim's files using the AES encryption, making it nearly impossible to recover the files without paying the ransom.
Recovering the Data that was Taken Hostage Using the CryptoHost Ransomware
PC security researchers do not make public how they have managed to crack a certain threat's vulnerabilities since this would allow the threat creators to fix the vulnerability in future versions. However, the information related to the CryptoHost Ransomware has already been made public. Apparently, the CryptoHost Ransomware moves certain data files into a password protected RAR file in the AppData, Roaming directory. This file has a name of 41 characters. Apparently, the password for the archive is the RAR file's name and the name for the logged in user. There is a publicly available password generator for victims of the CryptoHost Ransomware.
Dealing with a CryptoHost Ransomware Infection
There are several stages in dealing with a CryptoHost Ransomware infection, which may include the following:
- First you should terminate the CryptoHost Ransomware file process. To do this, malware analysts recommend using the Task Manager to find and terminate the CryptoHost.exe memory process.
- After terminating the memory process, it will be necessary to extract the RAR archive that contains the files that were taken hostage. To do this, computer users will need an application capable of reading RARs (7-Zip is a free and safe alternative that is very popular).
- After locating the archive file in the AppData\Roaming folder in the C: hard drive, computer users can extract it with 7-Zip. When the program asks for a password, enter the file name with the logged in user name added at the end. Once you have entered the password, the files will be extracted to a folder with the same name as the RAR file. Then the computer user needs to copy these files and restore them to their original locations.
- To prevent your files from being encrypted again, the next step is to remove the CryptoHost Ransomware itself. To do this, it is necessary to find the CryptoHost Ransomware's executable file, stored in the same directory as the RAR. It also is necessary to remove the executable file (the CryptoHost.exe) and delete its Autorun Registry key (which may take the following form):
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\%AppData%\the CryptoHost.exe
The types of files that may be 'encrypted' by the CryptoHost Ransomware:
jpg, jpeg, png, gif, psd, ppd, tiff, flv, avi, mov, qt, wmv, rm, asf, mp4, mpg, mpeg, m4v, 3gp, 3g2, pdf, docx, pptx, doc, 7z, zip, txt, ppt, pps, wpd, wps, xlr, xls, xlsl
The CryptoHost Ransomware will display a ransom note on the victim's files with instructions on the payment. As an additional threat, the CryptoHost Ransomware also will look for the following strings in file processes, and terminate them when detected, to further aggravate the victim:
Anti virus, anti-virus, antivirus, avg, bitdefender, eset, mcafee, dr.Web, f-secure, internet security, obfuscator, debugger, monitor, registry, system restore, kaspersky, norton, ad-aware, sophos, comodo, avira, bullguard, trend micro, eset, vipre, task manager, system configuration, registry editor, game, steam, lol, rune, facebook, instagram, youtube, vimeo, twitter, pinterest, tumblr, meetme, netflix, amazon, ebay, shop, origin.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.