CryptoHost Ransomware

What is CryptoHost Ransomware?

If CryptoHost Ransomware manages to sneak onto your operating system, you should almost be “thankful” that this Trojan ransomware has attacked you since it is nothing like Salam Ransomware and Crysis Ransomware, which are really dangerous threats. Of course, it does not mean that you should not take it seriously. In most of the ransomware infection cases it is quite likely that you will never see or access your files again unless you pay the ransom fee and get lucky to be able to decrypt your files or you make backup copies of your files on external drives. This malware infection also claims to have encrypted and locked your files; however, our malware specialists at Anti-Spyware-101.com say that only the locking part is true. As a matter of fact, this Trojan simply collects all targeted files and archives them in a specially named RAR file that will be protected by a password. Obviously, you cannot extract these files without the password even if you find it. Although this malicious software warns you not to tamper with it, we believe that you should remove CryptoHost Ransomware immediately after it reveals its sinister presence. Please read our full report to know more about this infection and how you can avoid similar attacks as well as how you can retrieve your files.

Where does CryptoHost Ransomware come from?

Unlike most Trojan ransomware programs, this infection has been found most commonly distributed in software bundles. According to our researchers, this Trojan mainly travels with µTorrent. However, these software packages may well contain a number of other malware threats as well. But most probably this infection is the most severe one among them. Yet, you cannot ignore the fact that there may be several threats on your computer because leaving any of these on board can seriously harm your system security. You should know that you can download such malicious bundles through suspicious websites associated with file sharing, including pornographic, shareware, and torrent sites. It is enough for you to click on any unreliable content, a banner or pop-up advertisement, and the damage is done. Well, at least it is most likely that you will download some nasty infections in the background.

You should also know that even if you drop such a package onto your computer, most of the time you have an opportunity to opt out of installing unwanted components. You just need to be careful and view every step with caution. Usually you are offered checkboxes to untick if you do not wish to let an element of the package on board. However, inexperienced computer users tend to skip this step or simply overlook it. Since there is a good chance that you let this Trojan on board this way, we suggest that you delete CryptoHost Ransomware right away and run a full-system malware scan to detect all other infections as well.

How does CryptoHost Ransomware work?

As we have already said, this ransomware does not actually encrypt your files even if its own name suggests that. Instead, it packs all your images, videos, and documents in a RAR file, and protects it with a unique password. Therefore, all your files with the following extensions get archived and become inaccessible: .jpg, .jpeg, .png, .gif, .psd, .ppd, .tiff, .flv, .avi, .mov, .qt, .wmv, .rm, .asf, .mp4, .mpg, .mpeg, .m4v, .3gp, .3g2, .pdf, .docx, .pptx, .doc, .7z, .zip, .txt, .ppt, .pps, .wpd, .wps, .xlr, .xls, .xlsl. Once the archive is done, it will be saved to the %AppData% directory.

All this may take place without your noticing it unless you are using or want to use any affected files, of course. When this process has finished, you are informed about the supposed encryption through a warning message that is displayed on your desktop. This time however your processes and files do not get blocked and neither does your screen. This warning tells you that your files have been encrypted and locked and you have to pay the demanded 0.38094 Bitcoins (around 162 USD) within 10 days; or else, you can say goodbye to your files.

Since paying with Bitcoins may not be common knowledge for common computer users, the criminals behind this malicious attack give you the necessary information as well. If you click on the “How It Works” button, you will be given the know-how and also some links, such as localbitcoins.com and bitstamp.net/help/how-to-buy to make it easier for you. We cannot tell you not to pay the ransom fee since it is your own decision to make. But please consider that cyber criminals rarely keep their word. So it is a possibility that even if you pay, you will not be able recover your files. But you should also know that we can actually help you do that and also to remove CryptoHost Ransomware.

Our researchers have also found that this ransomware starts to monitor running processes and window titles for these strings: anti virus, anti-virus, antivirus, avg, bitdefender, eset, mcafee, dr.web, f-secure, internet security, obfuscator, debugger, monitor, registry, system restore, kaspersky, norton, ad-aware, sophos, comodo, avira, bullguard, trend micro, eset, task manager, system configuration, registry editor, game, steam, lol, rune, facebook, instagram, youtube, vimeo, twitter, pinterest, tumblr, meetme, netflix, amazon, ebay, shop, origin. The reason behind it is simple: This malicious software wants to make sure you do not want to remove it and that you cannot browse your favorite sites either. Instead, you may see a warning message that you should pay the fee before you could use these.

How can I delete CryptoHost Ransomware?

Strangely enough, it is not even that difficult to remove CryptoHost Ransomware from your computer and recover your files. We have prepared a step-by-step guide for you below this article. Please follow it carefully to make sure that this malicious threat gets erased without leftovers. If you want to make sure that your PC is all secure, we believe that you should download and install a reputable malware removal application that will also protect your PC automatically from all known malware infections. If you need assistance with removing CryptoHost Ransomware, please leave us a message below.

Remove CryptoHost Ransomware from Windows

1. Tap Alt+R and type in taskmgr.
2. Select the malicious process, cryptohost.exe, and click End task.
3. Exit the Task Manager.
4. Tap Win+E to open File Explorer.
5. Find the %AppData% folder and delete cryptohost.exe.
6. Empty your Recycle Bin.
7. Tap Win+R and enter regedit. Click OK.
8. Find HKCU\Software\Microsoft\Windows\CurrentVersion\Run\software registry value name with the value data: “%AppData%\cryptohost.exe” and delete it.
9. Exit the Registry editor.

Extract your files

1. Tap Win+E to launch File Explorer.
2. Enter the %AppData% folder.
3. Locate the malicious RAR archive, which has no extension and its name consists of 41 characters that describe this information: “processor ID + volume_serial_number_of_C: + motherboard_serial_number”, for example, “A69CC4A91E86934CFD0753D5E928F1E026222D0B”
4. In order to extract this file, you will be asked to enter the password. This password will be the “file name + username”, in other words, “A69CC4A91E86934CFD0753D5E928F1E026222D0Busername”
5. Wait till the extraction process finishes and reboot your system.

Download Removal Tool100% FREE spyware scan and
tested removal of CryptoHost Ransomware*