Another Ransomware Recovery Mode

Wednesday, April 13, 2016 @ 08:04 AM gHale


There is now a way to recover files locked by the CryptoHost ransomware.

This type of ransomware does not use encryption to block files, but uses a method that takes various file types and moves them into a password-protected RAR archive.

RELATED STORIES
Tools to Unlock Ransomware
New Ransomware Shows Expertise
Ransomware Protection Available
Fileless Ransomware Continues Evolution

Over 34 file extensions end up targeted and once the files lock in the “C:\Users\[username]\AppData\Roaming” folder, the ransomware will display up to three different messages on your desktop asking for 0.33 Bitcoin ($140) as ransom.

CryptoHost doesn’t use a C&C server, and it only checks at various intervals if you’ve paid the ransom.

Having set up the attack mode, a research team formed of MalwareForMe, MalwareHunterTeam, Michael Gillespie and Bleeping Computer can recover the RAR file’s password and get the files back.

According to their analysis, the ransomware was using a combination of the user’s processor ID number, motherboard serial number, and the C:\ volume serial number to generate an SHA1 hash.

This hash gave the RAR file’s name, but was also part of the file’s password, along with the victim’s Windows username. So if the RAR file in the “C:\Users\[username]\AppData\Roaming” folder was 1234567890ABCDEF and the Windows username was “Martin,” the RAR file’s password was 1234567890ABCDEFMartin.

But to recover files and unlock the archive, you need one extra step, and that’s to stop the ransomware’s process. For this you have to open the Windows Task Manager, find the cryptohost.exe process, stop it, and then unzip the RAR file.

Once you have recovered your files, you’ll need to remove the ransomware from your computer. Most antivirus products are aware of this threat and will be able to remove the ransomware’s files automatically once the data ended up recovered.