CryptoHost locks files, but you can get them back

If you’re a user whose files are held for ransom by the CryptoHost (aka Manamecrypt) ransomware, despair no more about getting them back without paying for it – the ransomware has been “decrypted”!

CryptoHost is ransomware, but it doesn’t encrypt users’ files (although it claims it does):

CryptoHost ransom note

It simply takes a variety of files – images, movies, sound files, Office documents, archive files – found on the victims’ computer and places them into an RAR archive located in the C:\Users\[username]\AppData\Roaming folder, and protects it with a password.

Luckily for the victims, the current iteration of the ransomware is easily foiled, as the password required to open the file consists of the name of the RAR file + the user name of the logged in user.

“So for example, if the name of the user is Test and the RAR archive is located at C:\Users\Test\AppData\Roaming\3854DE6500C05ADAA539579617EA3725BAAE2C57, the password would be 3854DE6500C05ADAA539579617EA3725BAAE2C57Test,” Bleeping Computer’s Lawrence Abrams explains.

If you don’t know the user name, you can discover it by following these steps:

  • Press the Windows key + R
  • Enter cmd and press Enter (this will open a command line window)
  • Enter echo%username% and press Enter.
  • The resulting string is the user name you need to attach to the name of the RAR file in order to form the password.

Alternatively, use this password generator by Michael Gillespie to identify the password.

Abrams advises deleting the malware from the computer before performing the file unlocking (and provides instructions on how to do it manually).

Aside from the use of password-protection instead of encryption, CryptoHost differs from usual ransomware in two more things:

  • It does not spread via email or exploit kits, but is delivered bundled with the (legitimate) µTorrent client
  • It can prevent certain apps from running (apps that have strings like “anti-virus”, “obfuscator”, “debugger”, “registry”, “system configuration”, but also “ebay”, “facebook”, “netflix”, etc).