Yet another breed of Ransomware discovered, it encrypts your data and then demands a ransom of .33 bitcoins or approximately 140 USD to get your files back. In reality, though, your data is not encrypted, but rather copied into a password protected RAR archive . Thankfully, the password created by this infection is easily discovered so infected users can get their files back.
When CryptoHost infects your computer it will move following file extensions into the password protected archive located in the C:\Users\[username]\AppData\Roaming folder:
jpg, jpeg, png, gif, psd, ppd, tiff, flv, avi, mov, qt, wmv, rm, asf, mp4, mpg, mpeg, m4v, 3gp, 3g2, pdf, docx, pptx, doc, 7z, zip, txt, ppt, pps, wpd, wps, xlr, xls, xlsl
This file will have a 41 character name and no extension. An example file is 3854DE6500C05ADAA539579617EA3725BAAE2C57. The password for this archive is the name of the archive combined with the logged in user name. So for example, if the name of the user is Test and the RAR archive is located at C:\Users\Test\AppData\Roaming\3854DE6500C05ADAA539579617EA3725BAAE2C57, the password would be 3854DE6500C05ADAA539579617EA3725BAAE2C57Test.
First thing that you want to do it terminate the cryptohost.exe process from the Task Manager.
Now to get your archived data back, you need to extract the password protected RAR archive with your files in it, install the 7-Zip or winrara or Winzip free application. Once it is installed, open up the C:\Users\[username]\AppData\Roaming folder and locate the archive file using the info described above. Now right-click on it and then select the Extract to “foldername” option, enter the password as described above and press enter. You data will now be extracted into a folder name that is the same name as the RAR archive. When done, open that folder and copy all of the folders in it to the root of your C: drive. Your data files should now be restored.
Now time to manually remove Cryptohost:
When CryptoHost is installed it will create a file called cryptohost.exe and store it in the C:\Users\[username]\AppData\Roaming folder. It will alsocreate an autorun called software that executes the ransomware on login. To remove this infection, simply end the cryptohost.exe process using Task Manager and then delete the cryptohost.exe file. To remove the autorun you can delete this registry value:
CryptoHost is currently being bundled with a uTorrent installer that when installed extracts the cryptohost.exe to the %AppData% folder and executes it. Once executed, CryptoHost will move all files that match certain extensions into a password protected RAR archive located in the %AppData% folder. The name of the archive will be a SHA1 hash of the following information with any dashes removed.
When the archive is finished being created, the ransomware will then perform a listing of the files in the archive and save that list to the %AppData%\Files file and display the above message to pay.
Search and Remove the following Files associated with the CryptoHost Ransomware:
Search and Remove the following Registry entries associated with the CryptoHost Ransomware: