starbuck Posted April 10, 2016 Posted April 10, 2016 Good news: There's a trick to unlock the RAR file Thanks to the efforts of multiple security researchers, there's now a way to recover files locked by the CryptoHost ransomware, which is also detected by security products under the Manamecrypt name. This particular strand of ransomware does not use encryption to block you from accessing your files but uses a never-seen-before trick that takes various file types and moves them into a password-protected RAR archive. Over 34 file extensions are targeted and once the files are locked in your "C:\Users\[username]\AppData\Roaming" folder, the ransomware will display up to three different messages on your desktop asking for 0.33 Bitcoin (~$140) as ransom. CryptoHost doesn't use a C&C server, and it only checks at various intervals if you've paid the ransom. There's a way to discover the CryptoHost RAR file password Luckily, for victims affected by this threat, the research team formed of MalwareForMe, MalwareHunterTeam, Michael Gillespie and Bleeping Computer have discovered a way to recover the RAR file's password and get your files back. According to their analysis, the ransomware was using a combination of the user's processor ID number, motherboard serial number, and the C:\ volume serial number to generate an SHA1 hash. This hash was used to give the RAR file's name, but was also part of the file's password, along with the victim's Windows username. So if the RAR file in the "C:\Users\[username]\AppData\Roaming" folder was named 1234567890ABCDEF and your Windows username was "Martin," the RAR file's password was 1234567890ABCDEFMartin. But to recover your files and unlock the archive, you need one extra step, and that's to stop the ransomware's process. For this you have to open the Windows Task Manager, find the cryptohost.exe process, stop it, and then unzip the RAR file. You'll need to delete the ransomware after you get your files back Once you have recovered your files, you'll need to remove the ransomware from your computer. Most antivirus products are aware of this threat by now and will be able to remove the ransomware's files automatically once you've recovered your data. Previously this was impossible because CryptoHost included features that automatically stopped antivirus software after it infected computers. If you don't have an antivirus, instructions on how to remove the ransomware manually are provided via the Bleeping Computer's blog. Source: http://news.softpedia.com/news/cryptohost-ransomware-locks-your-data-in-a-password-protected-rar-file-502767.shtml Quote
FPCH Admin allheart55 Cindy E Posted April 10, 2016 FPCH Admin Posted April 10, 2016 Very interesting article, Pete. Thanks! Quote ~I know that you believe you understand what you think I said, but I'm not sure you realize that what you heard is not what I meant.~ ~~Robert McCloskey~~
starbuck Posted April 10, 2016 Author Posted April 10, 2016 I'm sure the bad guys will find another way around protecting the password at a future date though. Quote
FPCH Staff Tony D Posted April 10, 2016 FPCH Staff Posted April 10, 2016 Yeah, thanks for that. I'll file it. Quote
Recommended Posts