FANDOM


Cryptohasyou is ransomware that encrypts various files stored on the infiltrated system including .exe, .com, .bin, .dat, .sys, any .dmp, .information. .key, .pdb, .bat, .ps1, .vb, .ws, .wsd, .cpl,. reg, .dll,. ini, .msi, .pfx, .sct and .wsc.

Payload

Cryptohasyou uses the AES-256 algorithm with an RSA-2048 key. Thus, private and public keys are generated during encryption. Cryptohasyou also creates a YOUR_FILES_ARE_LOCKED.txt file in each folder containing the compromised files. Note that this ransomware adds a .enc extension to all encrypted files and, therefore, it is straightforward to identify them.

YOUR_FILES_ARE_LOCKED.txt file contains a message demanding a ransom and stating that most of the victim's files have been encrypted. It goes on to state that the only way to restore them is to purchased specific software (a decrypter) from the cyber criminals. According to this file, victim must pay a $300 ransom, and the price will rise by $150 every three days. The developers of .Cryptohasyou give victims the opportunity to decrypt their file free of charge - victims are simply required to send the selected file to the email address provided. Unfortunately, files can only be decrypted using the private key, which is stored on C&C [command and control] servers controlled by cyber criminals.

Text presented in YOUR_FILES_ARE_LOCKED.txt file:

READ THIS. IT IS VERY IMPORTANT. Hello. unfortunately for you, a virus has found 
its way onto your computer. The virus has encrypted all of the files that exist on this 
computer (pictures, documents, spreadsheets, videos, etc). There is no way to restore 
the files back to their original forms without the unique decryption program. 
Fortunately, we can help. We have your unique decryption program. If you value your 
locked files and want to restore them, we can provide you with the decryption program 
and any assistance you need for the price of $300. Want us to fix all of your files? 
Have a question? Want to send us a complaint (or compliment)? Contact us! Our 
email is locked(AT)vistomail.com We will get back to you with haste. If you want proof 
that we can decrypt your files, send us a single encrypted file in an email and we will 
return it to you fixed and in original condition! You must respond to this in a timely 
fashion if you want your original files back. The initial price of our service is $300. For 
every 3 days that pass, the price of our service will raise by an additional $150. We 
will know how long it has been. Remember, we are your only option. If you consult an 
IT expert, they will tell you the same thing. Cheers. Additional Details: (for IT people) 
[+] It is impossible to recover the original files without our help. [+]Encryption scheme: 
aes256(filesystem, aes_key) -> rsa2048(aes_key, public_key) -In other words, the 
private_key is required to decrypt the filesystem [+] During filesystem encryption, all 
affected files had the original data overwritten with the encrypted data several times 
over to prevent recovery. [+] If the extension of an encrypted file is not ".enc" when 
the decryption program is run, it will not be decrypted. [+] Do not shut down or restart 
your computer while filesystem decryption occurs FOR FILE DECRYPTION CONTACT 
US: locked(AT)vistomail.com YOU will need to provide the following data to us along 
with payment in order to decrypt your files.
Community content is available under CC-BY-SA unless otherwise noted.