14 DAY TRIAL // Thanks to the efforts of multiple security researchers, there's now a way to recover files locked by the CryptoHost ransomware, which is also detected by security products under the Manamecrypt name.
This particular strand of ransomware does not use encryption to block you from accessing your files but uses a never-seen-before trick that takes various file types and moves them into a password-protected RAR archive.
Over 34 file extensions are targeted and once the files are locked in your "C:\Users\[username]\AppData\Roaming" folder, the ransomware will display up to three different messages on your desktop asking for 0.33 Bitcoin (~$140) as ransom.
CryptoHost doesn't use a C&C server, and it only checks at various intervals if you've paid the ransom.
There's a way to discover the CryptoHost RAR file password
Luckily, for victims affected by this threat, the research team formed of MalwareForMe, MalwareHunterTeam, Michael Gillespie and Bleeping Computer have discovered a way to recover the RAR file's password and get your files back.
According to their analysis, the ransomware was using a combination of the user's processor ID number, motherboard serial number, and the C:\ volume serial number to generate an SHA1 hash.
This hash was used to give the RAR file's name, but was also part of the file's password, along with the victim's Windows username. So if the RAR file in the "C:\Users\[username]\AppData\Roaming" folder was named 1234567890ABCDEF and your Windows username was "Martin," the RAR file's password was 1234567890ABCDEFMartin.
But to recover your files and unlock the archive, you need one extra step, and that's to stop the ransomware's process. For this you have to open the Windows Task Manager, find the cryptohost.exe process, stop it, and then unzip the RAR file.
You'll need to delete the ransomware after you get your files back
Once you have recovered your files, you'll need to remove the ransomware from your computer. Most antivirus products are aware of this threat by now and will be able to remove the ransomware's files automatically once you've recovered your data.
Previously this was impossible because CryptoHost included features that automatically stopped antivirus software after it infected computers.
If you don't have an antivirus, instructions on how to remove the ransomware manually are provided via the Bleeping Computer's blog.
