Cryptgh0st was one of the latest May 2018 malware findings. This crypto-extortionist is believed to be a new third variant of Mauri870 (second version – MauriGo) ransomware. Although the virus is not as widespread as some other crypto-infections, such as Locky, GandCrab, NotPetya or CryptoLocker, yet it has all the possibilities to become one, therefore it is crucial to know how as much as possible about this parasite.
Before we go any further it is important to identify what kind of virus you really got, which can be a hard thing to do even after reading the ransom note. To differentiate the Cryptgh0st, MauriGo or any other virus which infected your PC, you can upload the compromised file to MalwareHunterTeam’s or Crypto. Knowing the type of the ransomware can save you lots of time and make the decryption easier.
Cryptgh0st Ransomware quicklinks
- Automatic Malware removal tools
- Manual ways to remove Cryptgh0st crypto-locker and recover files
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 2. Complete removal of Cryptgh0st ransomware
- Step 3. Restore Cryptgh0st ransomware affected files using Shadow Volume Copies
- Step 4. Use Data Recovery programs to recover Cryptgh0st ransomware encrypted files
How did you get Cryptgh0st virus
Let’s start with figuring out how did you get such malevolent parasite on your computer. Ransomware can spread in many ways but most preferred for such threats is the spam email attachments. Hackers use Social engineering and sometimes Geo-location to create a believable message asking to open the attachment which is infected with the Cryptgh0st ransomware, which needs just one click to start compromising the computer. Additional infection tactics include exploits, trojan downloaders, previous infections, malicious ads, fake updates, torrents and etc.
Cryptgh0st ransomware analysis on virustotal.com shows an interesting information about the virus activity. Regardless it being a fairly new virus and only 20 out of 65 antivirus programs recognising it as malicious (even such sophisticated software like Kaspersky and Malwarebytes do not detect it), the website also states that the very first time it was ‘noticed in the wild’ was in 2010, with a comeback in early 2017. That raises a discussion whether the virus is so sneaky affecting many machines without a notice, or was it just in the development stage and crooks were trying out the abilities of Cryptgh0st ransomware before the final release.
What does Cryptgh0st do
After the intrusion into your computer, the Cryptgh0st uses AES symmetric-key to encrypt the files that are personal like pictures, pdf files, e-books, MS office documents, videos, audio/music songs and many other similar types of data. The virus additionally affects some parts of the registry, but just enough to make the infection persistent, reappearing with every OS restart and to overcome the security. This is necessary so the victim would be able to pay the ransom and have a hope that their files will get unlocked by the hackers.
Ransomware is considered as one of the most dangerous viruses because these encryptions are pretty hard to crack since every machine has a unique decryption code which is only known to the hackers and even after the removal of the virus, the compromised data still stays locked. Cryptgh0st virus marks the encrypted files by appending the ‘.cryptgh0st’ extension to the name so the victim can notice what files they lost by seeing instead of the usual ‘video.mp4’ name a ‘video.mp4.cryptgh0st’.
The whole AES encryption is extremely fast (encrypts 1GB in just around 6 secs) so just in a couple minutes, hackers will take over your files running malicious processes in the background without you being able to do anything to stop it. And once they will be done, Cryptgh0st will finally reappear letting you know what happened by placing the ransom note named ‘READ_TO_DECRYPT.html’ on the desktop with further directions.
The ransom ‘READ_TO_DECRYPT.html’ note displays such text:
THIS ISNT A JOKE !!!
ALL YOUR COMPANY DATA GOT ENCRYPTED !!!
READ THE TEXT !!!
YOUR FILES HAVE BEEN ENCRYPTED USING A STRONG AES-256 ALGORITHM.
YOUR IDENTIFICATION IS
SEND 0,03 BTC TO THE FOLLOWING WALLET
AND AFTER PAY CONTACT [email protected]
SENDING YOUR IDENTIFICATION TO RECOVER
THE KEY NECESSARY TO DECRYPT YOUR FILES
IF YOU ARE NOT PAYING IN THE NEXT 48H
ALL YOUR FILES WILL BE REMOVED FOR EVER
THIS ISNT A JOKE !!!
ALL YOUR COMPANY DATA GOT ENCRYPTED !!!
READ THE TEXT !!!
Compared to MauriGo virus, this version of ransomware really changed the tactics to lure out the ransom. Most likely MauriGo’s demanded amount was so big that the users simply decided that 0.7 BTC (US $6444) and more wasn’t worth for their files and didn’t pay. This time Cryptgh0st asks ‘only’ for 0,03 BTC (US $228) and gives a shorter amount of time to pay it – 48hrs.
It is hard to tell if this technique will bring crooks more money, but at least it seems more possible than the first greedy tries. According to Gizmodo.com another famous crypto-virus WannaCry that is so common in the virtual world, received ransom payment only from 3 percent of victims in 2012. Although, the number increased significantly up to 50 percent this current year.
No matter what the amount crooks ask, it is important not to pay the ransom because this only allows crooks to upgrade the virus and no one can be sure if you will get any decryption key from the modern virtual pirates. Therefore, before you send anything, please try the virus removal/file restore methods below, which in some cases help people to get rid of Cryptgh0st threat completely.
What ways can you eliminate the Cryptgh0st ransomware
Before picking the most optional removal method, we advise you to read the Ransomware Prevention Guide, so any further actions will not cause additional infection or more problems. After you understand how did the Cryptgh0st parasite get into your computer and what was your mistake we offer you two methods on how to delete Cryptgh0st ransomware.
The first method is an automatic malware removal with the anti-spyware tool. You can see the list of all our tested and evaluated tools here, but usually we tend to use Malwarebytes and Spyhunter, because of their updated virus databases, effectiveness and the ability to download some of the damaged system files to the computer. You simply have to follow the instructions and allow the software to scan and delete all the harmful threats, Cryptgh0st included.
Automatic Malware removal tools
Another technique you can do is to try removing the virus manually yourself, however, this method can be tricky and not always remove the rest of the infections that might have gotten into the system once the PC security became vulnerable. It is necessary to have a clean system before file recovery or else your data will be encrypted again.
At the moment there is no decryption tool to unlock the files for the Cryptgh0st virus, however, you can keep checking HeimdalSecurity.com master decryptor post for any updates. We do not promise that you will definitely recover your locked files because some viruses tend to delete Shadow Volume Copies and Restore Points, but it doesn’t hurt to try the methods below.
Manual ways to remove Cryptgh0st crypto-locker and recover files
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Cryptgh0st ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Cryptgh0st ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Malwarebytes and remove all malicious files related to Cryptgh0st ransomware. You can check other tools here.
Step 3. Restore Cryptgh0st ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point in time when the system restore snapshot was created. Usually, Cryptgh0st ransomware tries to delete all possible Shadow Volume Copies, so these methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.
a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Cryptgh0st ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases, it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as a precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.