New CryptoHost Ransomware Spotted in the Wild (Aug 23, 2016).
The Dell Sonicwall Threats Research team observed reports of a new Ransomware family Named CryptoHost [GAV: Filecoder.A_118] actively spreading in the wild.
The Malware encrypts all files on the victim’s machine with a password protected Rar archive.
Infection Cycle:
The Malware uses the following icons:
The Malware adds the following files to the system:
-
CryptoHost.exe
-
%Userprofile%Application Datacryptohost.exe
-
%Userprofile%Application Dataprocessor.exe
-
-
processor.exe
-
C:Documents.rar
-
The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKCUSoftwareMicrosoftWindowsCurrentVersionRunsoftware
-
%Userprofile%Application Datacryptohost.exe
-
The Malware runs following commands on the system:
Once the computer is compromised, the malware copies its own executable file to %Userprofile% Application Data folder and creates another process named Processor.exe.
The Malware encrypts the victims files with a strong Rar encryption algorithm until the victim pays a fee to get them back.
After encrypting all the personal documents and files it shows the following picture:
It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files. The malware has some guidelines for how to purchase Bitcoins:
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Filecoder.A_118 (Trojan)
