The security researchers have recently found how to recover files locked by the CryptoHost ransomware, also known as Manamecrypt name.
This is a strand of ransomware which doesn’t use encryption to block the access to your files, though it uses a never-seen-before trick that takes different file types and moves them into a password-protected RAR archive.
More than 34 file extensions in total are targeted so far. As soon as the files are locked in your “C:\Users\[username]\AppData\Roaming” folder, CryptoHost displays up to three different messages on your desktop asking for a ransom of 0.33 Bitcoins.
CryptoHost does not use a C&C server. The rasomware only checks at different intervals if you’ve paid the ransom or not.
The good news here is that security experts have found a way to discover the CryptoHost RAR file password and successfully decrypt the victims’ files.
The researchers’ analysis show that CryptoHost ransomware was using a combination of the user’s processor ID number, motherboard serial number, and the C:\ volume serial number to generate an SHA1 hash.
Apart from using the hash to give the RAR file’s name, it was also part of the file’s password, together with the victim’s Windows username. For instance, if the RAR file in the “C:\Users\[username]\AppData\Roaming” folder was named 1234567890ABCDEF and your Windows username was Susan, the RAR file’s password was 1234567890ABCDEFSusan.
However, in order to recover your files and unlock the archive, you’ll need one extra step to stop the ransomware’s process. To do this, you should open the Windows Task Manager, find the cryptohost.exe process, stop it, and unzip the RAR file after that. Once you get your files back, you should delete the ransomware.
Once you have recovered your files, you’ll need to remove the ransomware from your computer. Most antivirus products are aware of this threat by now and will be able to remove the ransomware’s files automatically once you’ve recovered your data.
A while ago, it was impossible due to the fact that CryptoHost ransomware included features which automatically stopped antivirus software after it infected computers. However, now the situation is completely different.