How to Recover Cryptohost Ransomware Files
Cryptohost Ransomware Description and Removal Instructions:
Malware Category: Ransomware
CryptoHost Ransomware, Ransom:MSIL/Manamecrypt.A or Ransom_CRYPTOHOST.A.is a new version of the Crypto-Ransomware viruses. CryptoHost Ransomware targets PCs running Windows OS and demands $140 or .33 bitcoins. The vicitim`s files are not actually encrypted but are put into a password protected .RAR archive. Fortunately, the paswword is crackable and there is a way to recover the files encrypted by CryptoHost Ransomware.
When running, CryptoHost Ransomware will start encrypting certain types of files stored on local or mounted network drives using a RSA-2048 bit public-key cryptography, with the private key stored only on a control server. The following extensions are being moved by the infection:
jpg, jpeg, png, gif, psd, ppd, tiff, flv, avi, mov, qt, wmv, rm, asf, mp4, mpg, mpeg, m4v, 3gp, 3g2, pdf, docx, pptx, doc, 7z, zip, txt, ppt, pps, wpd, wps, xlr, xls, xlsl
CryptoHost Ransomware will create help_your_files.html and put a shortcut to it in every folder where a file was encrypted. Those files contain instructions explaining how to pay the ransom. CryptoHost Ransomware creates an archive in: C:\Users\[username]\AppData\Roaming folder. There it stores the configuration information. For the victims to pay the ransom, the virus sends them to a webpage where they can enter their personal code and access the payment page. The payment is in Bitcoins, which is untraceable.
Cryptohost Ransomware will not just encrypt files and block your computer, it will also collect valuable information that will be sent to the control server at: crazytrevor.com and crazytrevor.in. Such software could lead to more malware coming into your computer and even cause a loss of data. Such threats are not to be underestimated!
If you are infected, we at SpywareTechs.com recommend you to download SpyHunter Malware Security Suite in order to remove the infection automatically:
Once you get rid of Cryptohost Ransomware (see how to remove Cryptohost Ransomware in our article), you can try to recover your files using the methods below:
How to Recover Files Encrypted by Cryptohost Ransomware:
You can try to recover your files from a system backup. If there is no backup available, one can try to restore the files using the Shadow Copy Service. Windows XP Service Pack 2 and future versions have an integrated feature called Shadow Copy Service which will automatically create backup copies of your files. This method is not bullet-proof, as Cryptohost Ransomware may delete the shadow copies.
1. How to Restore Files Using the Shadow Copy Service:
Method 1. Using Windows Previous Version tab:
*The Windows System Protection service must`ve been enabled before the infection, otherwise it will not work.
- Right-click on the encrypted file, select Properties from the menu.
- Click on “Previous Version” tab (If missing, this means that Windows System Protection has not been enabled).
- Choose a previous version copy and click on the Copy button. Select a directory you wish to recover the file to, or you can try to restore the selected file, directly, by hitting the Restore button.
The method could be used to recover an entire folder. Just right-click on the highlighted folder and select Properties, and then Previous Version tab.
Method 2. Using Shadow Explorer:
Using Shadow Explorer to restore whole folders. You can download the program from the link below:
Download and run the program. A list of available drives will show up on the left side. Beside it, you will see available dates for created shadow copies. One could select the drive and the date to restore to.
2. How to recover files encrypted by Cryptohost Ransomware using an Archive Extractor:
When Cryptohost starts running, it will move data files in a .RAR archive protected with a password. The archive would located it C:\Users\[username]\AppData\Roaming folder. The archive itself would have a 41-character name without an extension. For example: 6844DE9639C05ADBF558209693HJ31425GJLE6C01. The password for the archive would be the name of the file plus the logged in user account name. Lets assumte that the username is John. The path would be the following: C:\Users\John\AppData\Roaming\6844DE9639C05ADBF558209693HJ31425GJLE6C01 and the password in this case will be 6844DE9639C05ADBF558209693HJ31425GJLE6C01John.
*Before proceeding, please open Task Manager and kill the process: cryptohost.exe.
In order to extract the archive, you have to have an archive extractor software like WinRar or 7-Zip. Open up your archive application and navigate to (the path will be unique for every user) C:\Users\John\AppData\Roaming and open the file 6844DE9639C05ADBF558209693HJ31425GJLE6C01. When prompted for a password, put in 6844DE9639C05ADBF558209693HJ31425GJLE6C01John (password will differ, this is an example). Once the extarcting process finishes, open the newly created folder and copy all content to the root of your Local C: drive. If everything goes normally, you should have your files back.
Nevertheless, if you want to be protected from Cryptohost Ransomware, get SpyHunter!