CryptoHost

One example of the CryptoHost variant.

Image Source: Bleeping Computer

CryptoHost targets Windows OS and is currently distributed through a compromised uTorrent installer. Once installed, it extracts its executable file to the %AppData% folder and launches it. It then attempts to delete the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot key to prevent the system from being booted into safe mode and monitors for strings associated with security software. Instead of encrypting files, however, CryptoHost moves all targeted files to a password-protected RAR archive located here: C:\Users\[username]\AppData\Roaming folder. The name of the archive is an SHA1 hash of the processor ID number, the volume serial number of the C drive, and the serial number of the motherboard. The password for the RAR archive is this SHA1 hash plus username. Once this process is completed, CryptoHost displays a ransom note demanding .33 Bitcoin to recover files.

  • Bleeping Computer provides more information about CryptoHost, including instructions on how to recover files and remove the infection, here.