CryptoHasYou Ransomware

When CryptoHasYou Ransomware attacks your operating system, you might think that your Desktop was locked. In reality, this malicious infection uses a two-fold method to trick you into thinking that you cannot operate your Windows system in a regular manner. First, this ransomware kills the explorer.exe process which makes all your Desktop icons, as well as the taskbar at the bottom, disappear. Simultaneously, this threat changes your Desktop wallpaper to introduce you to the demands of its creators. These demands include contacting cyber criminals and paying a ransom, but more on that later in this report. As you might have realized, it is too later to stop this malicious infection once it is successfully executed; however, it is still important to remove CryptoHasYou Ransomware from your PC, and we can help you with that.

Although the malicious CryptoHasYou Ransomware is similar to Salam Ransomware, Petya Ransomware, and other well-known infections within this family, it has several distinctive features. First of all, not all threats are capable of terminating the explorer.exe process. Second, it was found that this ransomware uses the AES-256 bit encryption system. Third, it demands a ransom in dollars, which is unusual, considering that the latest threats analyzed in our internal lab requested ransoms to be paid in Bitcoins, which is a virtual currency. Although this type of method is more complicated for users, cyber criminals are capable of collecting money in a more inconspicuous manner. CryptoHasYou Ransomware demands a ransom of 300 USD, but it is likely that the sum will rise by 150 USD every three days, as suggested via the Desktop notification. Because a payment method is not provided, users are expected to contact locked@visitomail.com for further instructions.

It is possible to restore explorer.exe because you can launch Task Manager, and we show you how to do that in the removal instructions below. Once you restore this feature, you will be able to navigate your operating system and see which files were encrypted by CryptoHasYou Ransomware. This infection uses the “.enc” extension, which is the same extension that is employed by PadCrypt Ransomware, another malicious threat. This extension is merely a sign that your file is encrypted, and it has nothing to do with the encryption itself. You can even delete this extension, as nothing would change, unless you decide to pay the ransom, in which case, the decryption might not work if the extension is erased. Of course, this infection targets personal files, such as photos and text documents because they are the most valuable, and unless you have them backed up, you are more likely to pay a ransom for their “release.” Should you pay the ransom? Well, that is up to you, but we want to warn you that cyber criminals might take your money and disappear.

Unfortunately, your operating system might be infected with other threats. In most cases, CryptoHasYou Ransomware slithers into computers via spam emails that include fictitious invoices or other types of documents that you might open without thinking twice. All in all, whether this ransomware uses this or some other method to attack, it is possible that other infections have used the same security backdoor to slither into your computer. Therefore, right after you delete CryptoHasYou Ransomware from your operating system, you need to run a full scan to check if other threats are active. Needless to say, if you find malware, you need to do whatever it takes to eliminate it from your computer. If you decide to implement automated malware detection and removal software, you will not need to tackle all threats separately.

If CryptoHasYou Ransomware has attacked your operating system, your personal files are encrypted. In order to decrypt them, you need a decryption key that cyber criminals should provide you with if you pay the ransom requested. Unfortunately, there are no guarantees that your files would be decrypted, which is the main reason we recommend thinking carefully before jumping into anything. In any case, you must remove this ransomware from your operating system, and this task is not extremely complicated. The difficult part is identifying malicious files because they can have random names. Look for files that you might have downloaded from the spam emails yourself. Of course, first, you need to restore explorer.exe. If you have any issues with the removal process, please post your concerns in the comments box below.

CryptoHasYou Ransomware Removal

1. Launch Task Manager (simultaneously tap Ctrl+Shift+Esc or launch via Ctrl+Alt+Delete menu).
2. Click File (in the menu at the top) and select New Task/Run new task.
3. Enter explorer.exe into the dialog box and click OK. Exit the utility.
4. Launch Explorer by simultaneously tapping Win+E keys on the keyboard.
5. Enter %USERPROFILE%\downloads into the address bar.
6. Right-click and delete the malicious file (check for a random name/the file you have downloaded).
7. Now enter %TEMP% into the address bar and repeat step 6.
8. Run a full system scan to check for remaining infections.