Remove UpdateHost Virus and Restore .locked Files

Remove UpdateHost Virus and Restore .locked Files

The article will help you remove UpdateHost ransomware completely. Follow the ransomware removal instructions at the end of this article.

UpdateHost is a ransomware cryptovirus. This virus will encrypt your files while appending the extension .locked to each of them. The encryption algorithm is very probably to be AES as this piece of malware is believed to be a variant of the HiddenTear project. UpdateHost cryptovirus will create a ransom note in a text file called READ_It.txt. Keep reading and see how you could try to potentially restore some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and drops a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension .locked on your files after it completes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by UpdateHost


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss UpdateHost.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

UpdateHost Virus – Infection Spread

UpdateHost ransomware could spread its infection with various methods. The payload file that initiates the malicious script for the ransomware in question is seen in the Wild. Your computer system will become infected if that payload is executed. One such payload dropper has been reported on the VirusTotal service by malware researchers and can be seen right down here:

UpdateHost ransomware might also distribute its payload file on social media and file-sharing networks. Freeware distributed on the Internet can be presented as helpful but could also hide the malicious script for this cryptovirus. Refrain from opening files right after you have downloaded them, especially if they come from dubious sources like links and emails. Instead, you should scan them with a security tool, beforehand. Also you should do a check on the size and signatures of these files, for anything unusual. Read the tips for ransomware prevention from the forum to know more ways to avoid infection.

UpdateHost Virus – Technical Analysis

UpdateHost ransomware is also a cryptovirus. The extension .locked is to be appended to all files that become locked after the encryption process is finished.

UpdateHost ransomware could make entries in the Windows Registry to remain persistent, and even launch and repress processes in Windows. Some of these entries are designed in a way that will start the virus automatically with every boot of the Windows Operating System.

The ransom note will be placed inside a file after the encryption process is done. The file with the ransom note is labeled READ_IT.txt and contains instructions for decrypting your files along with the demands for payment by the cybercriminals that distribute the malware.

The ransomware is reported to be a HiddenTear variant by the malware researcher Karsten Hahn. You can read more about the HiddenTear open-source project from our blog.

Inside the note of the UpdateHost ransomware the e-mail [email protected] is provided. However, you should NOT under any circumstance pay the cybercriminals, nor contact them. Your files may not get restored, and nobody could give you a guarantee for that. Moreover, giving money to these criminals will likely motivate them to create more ransomware or do other criminal acts.

The following list with file extensions that the UpdateHost ransomware seeks to encrypt can be seen right here:

→.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .psd, .zip, .rar, .7z

All files that get encrypted will receive the same extension appended to the end of their names, and that is the .locked extension. The encryption algorithm which is utilized by the ransomware is believed to be AES as that is the encryption used by HiddenTear variants.

The UpdateHost cryptovirus is quite likely to delete the Shadow Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and check out what type of ways you can try to potentially restore some of your files.

Remove UpdateHost Virus and Restore .locked Files

If your computer got infected with the UpdateHost ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share