It’s about time to raise some red flags on a new piece of malicious code that holds the files of an infected Windows user hostage. The ransomware called .Cryptohasyou has been on the loose for a week now and has unfortunately succeeded to infect numerous personal computers and enterprise networks over this brief period of time. This offending program encrypts data on the hard drive as well as the network shares if it spots any that the user has access to. Aside from becoming completely corrupted due to the cipher, every affected file gets the .ENC extension that follows the original format string. A transformation of a random image named, for instance, ‘rose.bmp’ into ‘rose.bmp.enc’ demonstrates the upshot of this abominable approach.
The .ENC file extension ransomware doesn’t stick to a single encryption algorithm when encoding data. Instead, it uses an uncrackable composite of AES-256 and RSA-2048, which makes recovery close to impossible unless the private key is somehow obtained. One objectionable way to get hold of this lifesaving key is by paying the ransom, which amounts to 300 USD. The payment is due 3 days, after which it will increase to 450 USD. For the time being, no other methods exist to decrypt all frozen files with full certainty. The .Cryptohasyou virus provides a totality of recovery steps in an image that replaces the user’s preferred desktop wallpaper. Also, it adds YOUR_FILES_ARE_LOCKED.txt document with the same information in it.
The message starts with the following alert: “Hello. Unfortunately for you, a virus has found its way onto your computer. The virus has encrypted all of your files that exist on this computer (pictures, documents, spreadsheets, videos, etc). There is no way to restore the files back to their original forms without the unique decryption program.”
In other words, the victim needs to pay for the secret decryption key and the specially crafted application to get their files back. To reach the extortionists, users must shoot an email to email@example.com and then stick to the recommendations in a follow-up response. The hackers can restore one file for free if the infected person sends it over email. The .ENC ransomware has a blacklist of extensions that it does not target, but these aren’t likely to be personal or otherwise important data. For example, it skips objects with .exe, .vbs, .pif, .reg, .bat and about 30 more extensions. This way, the scoundrels make sure the operating system stays stable and also reduce the time needed for encoding the stuff that matters to the victim.
Once again, there is no viable methodology to guarantee the recovery of all .ENC files locked by .Cryptohasyou virus. However, it makes sense to try harnessing Windows’ VSS (Volume Snapshot Service) and a couple more tricks before deciding what to do next.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that the .Cryptohasyou ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that the infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by this ransomware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.