There is a ransomware named CryptoHost. The ransomware collects files with different extensions and locks them in an archive with a password. To see the solution of how to restore your files and remove the ransomware, you should read the article to the end.
| Name | CryptoHost Ransomware |
| Type | Ransomware |
| Short Description | The ransomware locks files in an archive and asks a ransom for decryption. |
| Symptoms | Files with different extension get locked in an archive file. A message with instructions for paying the ransom is displayed. |
| Distribution Method | Spam Emails, Email Attachments, File Sharing Networks |
| Detection tool | Download Malware Removal Tool, to See If Your System Has Been Affected by CryptoHost Ransomware |
| User Experience | Join our forum to discuss CryptoHost Ransomware. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
CryptoHost Ransomware – Delivery
CryptoHost ransomware can be delivered in a variety of ways. One is through spam emails containing an attachment with a malicious file. Opening the attachment and loading the executable can inject the malware inside your PC. The file can have the name uTorrent.exe pretending to be a torrent client program.
The ransomware might also be spread around social networks and file sharing services. Messages or posts may have files with malicious code attached, just as the one mentioned above. You might get the CryptoHost ransomware from visiting suspicious sites and from clicking various links.
CryptoHost Ransomware – Technical Information
The CryptoHost malware is classified as a ransomware. It locks your files, so you don’t have access to them and asks for paying a ransom.
Update! Various anti-malware programs have different names for this ransomware – Ransom_CRYPTOHOST.A or more commonly MSIL/Manamecrypt.A.
It might make modifications in the Windows Registry. The following registry entries have been found by researchers:
HKCU\Software\Classes\FalconBetaAccount
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software
The second string modification made in the registry can make the ransomware load automatically with every boot of the Windows operating system.
Next, the ransomware loads a screen notifying you that your files are locked. The instructions in it never change, but as time passes the sum you have to pay as ransom may begin to increase:
You are asked to pay ~0.35 Bitcoins within ten days. At this moment, that amounts to about 150 US dollars.
If you click on How It Works or Check Payment buttons, these screen windows will show, consecutively as in the picture:
Reaching out to ransomware makers with the intention of giving them the ransom money is strongly NOT advised. No guarantee exists that your files will be unlocked. Paying the ransom will not only give its creators stimuli to make the ransomware more durable but it is considered like supporting them.
The CryptoHost ransomware searches your computer’s disk drives for files to encrypt. The files which it searches for, have these extensions:
→ .doc, .docx, .pdf, .txt, .ppt, .pps, .pptx, .wpd, .wps, .xlr, .xls, .xlsl, .jpg, .jpeg, .gif, .png, .psd, .ppd, .tiff, .3gp, .3g2, .7z, .zip, .flv, .avi, .mov, .qt, .wmv, .rm, .asf, .mp4, .mpg, .mpeg, .m4v
After finding such files, it puts all of them in an archive file and locks them with a password. There is no actual encryption involved, and all you have to do is to unlock that file.
You needn’t worry because there is already a solution to unlocking your files successfully. You can read the instructions on how to do that down below.
Remove CryptoHost Ransomware and Restore Locked Files
If CryptoHost ransomware infected your computer, there is a solution to unlock your files without paying anything. First, you should stop the ransomware and remove it. You can remove it manually, by deleting the executable file of the ransomware called cryptohost.exe found here:
%AppData%\cryptohost.exe
After that you have to remove the following registry entry from preventing it from auto-starting:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software
In case the manual removal doesn’t work, an anti-malware tool can do it for you.
After successful removal of the threat you can restore your files from the locked archive file. To do it, you need to go to the file and enter the password. The password is combination of your Windows User name and the name of the archive found in the folder:
C:\Users\(user name)\AppData\Roaming
If the file name of the archive, found in the above folder directory was “Test7345” and your Windows User name was “Admin1”, the password would be “Test7345 Admin1”. Best of luck!
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
