CryptoHasYou Ransomware

Posted by Lisa Blanc on April 4, 2016

What is CryptoHasYou Ransomware?

CryptoHasYou Ransomware is a type of Trojan whose purpose is to encrypt your personal files and demand that you pay a ransom. Therefore, it is paramount that you remove it as quickly as possible if your computer becomes infected with it. We want to stress the dishonesty of the hackers that control this ransomware, because there is a good chance that you will never receive the decryption key you have paid for. This particular ransomware uses the AES256 encryption algorithm which makes it a difficult infection to deal with. Since this infection is relatively new, researchers have yet to crack it, so that this particular point we can only show you how to delete it and explain how it works and how it is distributed. test

Where does CryptoHasYou Ransomware come from?

This ransomware’s developers make use of the age-old tactic of email spam to distribute it. They might use click bait or disguise the email as legitimate business-related correspondence. Whatever the case may be, the malicious email contains an attachment and if you open this attachment, then it will quickly inject CryptoHasYou Ransomware’s files to %USERPROFILE%\downloads and %TEMP%. However, this ransomware’s executable’s name is subject to change, so identifying it may prove difficult. So if you are a tech-savvy person, then we suggest that you open the Task Manager and look for unfamiliar oddly named processes and go to their location by clicking Open File Location. Nevertheless, a good antimalware tool can detect its file regardless of the file name. Note that an antimalware program can also prevent CryptoHasYou and similar from entering your computer altogether. Now that you know how it is distributed, let us take a close look at how this ransomware operates.

How does CryptoHasYou Ransomware work?

Ransomware is of malicious nature by default and such programs are created with the intention to extort money from misfortunate users. Once on your computer, CryptoHasYou will scan it for various file types, such as enc, exe, lnk, dll, lib, dat, ini, sys, mci, msn, folder, rgu, bin, and so on. Note that the list of files that this ransomware can encrypt is quite extensive so we did not include the whole list. Once the scan is complete, it will proceed to encrypt them using the AES256 symmetrical encryption algorithm with an RSA-2048 key. The encryption is very strong and may be impossible to crack. Then, it will add the .enc or .cryptohasyou file extension to the end of each file name (Example: document.docx.enc)it will also add a text file named YOUR_FILES_ARE_LOCKED.txt to each folder where a file was encrypted.

The YOUR_FILES_ARE_LOCKED.txt file contains a ransom note. CryptoHasYou Ransomware’s developers demand that you pay $300 USD for the decryption key. They want to gain your trust by offering you to send any of your encrypted files to their email locked(AT)vistomail.com and they promise to send you back the file decrypted. However, part of this ransomware’s functionality is to disable Internet Explorer and there is no way of knowing if the other browsers will work as well. So you might need another PC for this job. However, we do not recommend that you play by their rules. The developers even have the audacity to use scare tactics such as claiming that if you do not pay the initial $300 USD, then the price for the encryption key will increase by $150 USD every three days.

Our malware researchers have found that CryptoHasYou will delete Shadow Volume Copies and disable Startup Repair using the vssadmin delete shadows /all /quiet, bcdedit /set {default} recoveryenabled no, and bcdedit /set {default} bootstatuspolicy ignoreallfailures commands. Thus, it makes file recovery impossible. It is a smart move on the part of the developers, but you should not give into their bulling. We advise that you remove this infection and, if possible, recover your files from external drives or other media storage.

How do I remove CryptoHasYou Ransomware?

As mentioned, locating this ransomware’s executable files is difficult because they use random names, but you can find them in %USERPROFILE%\downloads and %TEMP%, especially in the first folder since it is where all of your downloads are stored by default. If you manage do locate the files, then before deleting them, you should open the Task Manager and kill any processes linked to this ransomware. In some cases you might even have to boot up your PC in Safe Mode to do so. Please follow our instructions to get rid of this ransomware altogether.

Boot up in Safe Mode with Networking

Windows 10

Press the Start button, and then the Power button.
Hold down the Shift key and select Restart.
In the resulting, full-screen menu, select Troubleshoot.
Then, go to Advanced options and select Startup Settings.
In the Startup Settings screen, tap Restart.
The PC will reboot, and bring you to a Startup Settings screen.
Use the arrow keys on your keyboard to select Enable Safe Mode with Networking.

Windows 8 and 8.1

Press the Windows Key+C, and then click Settings.
Click Power, hold down Shift on your keyboard and click Restart.
Click Troubleshoot, click Advanced options, and select Startup Settings.
Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.

Windows 7 and Vista

Click the Start button click the arrow next to the Shut Down button, and then click Restart.
Press and hold the F8 key as your computer restarts.
On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
Log on to your computer with a user account that has administrator rights.

Windows XP

Restart the computer.
Press and hold the F8 key as your computer restarts.
On the Advanced Boot Options screen, use the arrow keys to highlight the Safe Mode with Networking, and then press Enter.
Log on to your computer.