Last week my machine was infected with this deadly Trojan called Ransomware/CryptXXX and I was able to recover 95% of files corrupted by this. This is really one of the nastiest virus you will come across.
How did this happen?
Recently I was download lot of tools from different sites and also visiting some malicious sites for researching. I’m not really sure how it started to affect. My best guess is initially it got affected with some Trojan which opened the gate to this deadly Virus.
How did I found out?
My system for few days was behaving very erratically, actually the performance of pc went down. I saw lot of extra applications in my task manager. One of the noticeable process was conhost.exe and sahookmain.exe.
Though the below screenshot doesn’t show it because I captured it after fixing this issue. Only reason I had put this screenshot is, If you right click and try to end the process, you will not be able to do it, it will show “access denied”. My hack to kill that process was to click on the button “show processes from all users” and then I was able to kill these process.
But the interesting factor was every time I was starting chrome or any internet related activity this process “conhost.exe” and “sahookmain.exe” would replicate and would multiply very fast. At times I used to have 45 to 60 process of conhost.exe and similarly for sahookmain.exe. Each around 3 to 4 mb. After a while system would become very slow.
So my suspicion was correct that my machine was infected. So I download lot of free Spyware/malware removal tools like syphunter and Superantispyware. Spyhunter was not free and Superantispyware was good but I don’t know whether it was really effective against what I had on my machine. It used to show all the tracking cookies and other simple malwares. Then suddenly one day on my machine I saw this popup
After the Attack
After that I was not able to use my mouse or keyboard, my machine got frozen and even the task manager was not responding. Basically it was showing that all my files got encrypted. and I need to pay some money to get the key for decrypting it. That’s why its called Ransomware. It was encrypted using RSA4096. In the above screenshot I’ve hidden my personal id. The way they want money to be transferred is very interesting. Actually there is browser called Tor browser which allows people to be anonymous, it works by communicating with another active tor browser hence source and destination will be difficult to know. In the Tor browser we have to use sites called Onion sites. And in this case they want me to run tor browser and transfer money hence nobody can catch them.