Posts tagged CryptoHost

CryptoHost targets Windows OS and is currently distributed through a compromised uTorrent installer. Once installed, it extracts its executable file to the %AppData% folder and launches it. It then attempts to delete the HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot key to prevent the system from being booted into safe mode and monitors for strings associated with security software. Instead of encrypting files, however, CryptoHost moves all targeted files to a password-protected RAR archive located here: C:\Users\[username]\AppData\Roaming folder. 

Read More