{
	"id": "fa870750-f4fc-4c9c-a128-57e354391674",
	"created_at": "2026-04-06T00:18:51.829945Z",
	"updated_at": "2026-04-10T03:21:31.451952Z",
	"deleted_at": null,
	"sha1_hash": "76bc02ea2415e0e97e889db1ff15060e334f0f51",
	"title": "Manamecrypt – a ransomware that takes a different route",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 349471,
	"plain_text": "Manamecrypt – a ransomware that takes a different route\r\nBy Sabrina Berkenkopf\r\nPublished: 2016-08-12 · Archived: 2026-04-05 23:05:46 UTC\r\n04/11/2016\r\nReading time: 6 min (1640 words)\r\nHardly a week passes these days without a new family of ransomware making the headlines. This week our\r\nanalysts are taking apart Manamecrypt, also referred to as CryptoHost. Basically, Manamecrypt is a ransomware\r\nTrojan horse, but it differs from other ransomware families in a number of aspects. For instance, it not only\r\nencrypts files, but also prevents certain applications from running which have a specific pattern in their process\r\nname. Also, it uses an unconventional way of spreading which so far was not considered typical of ransomware.\r\nThe good news for victims is: the encryption of its current iteration can be cracked!\r\nInfection vector: the classic Trojan horse\r\nThe main aspect in which Manamecrypt is fundamentally different from other file-encrypting types of malware\r\nwe heard of in the past weeks is: the analyzed sample does not spread vial email attachment or via an exploit kit.\r\nInstead, it bundles with legitimate software and can therefore be classified as a classic Trojan horse. The bundle\r\nconsists of the genuine, working and properly signed µTorrent client with the malware component bundled “on\r\ntop”. \r\nBundle: c71c26bf894feb5dbedb2cf2477258f3edf3133a3c22c68ab378ba65ecf251d3\r\nG DATA detection: Gen:Variant.MSIL.Lynx.13\r\nDropped µTorrent Client: b7579ad8dfa57512a56e6ff62ae001560c00a4ebb9faa55086a67d30fbb1eea6\r\nG DATA detection: Win32.Application.OpenCandy.G\r\nhttps://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nPage 1 of 7\n\nDropped Ransomware: 4486a1aaa49d8671826ff4d0d5c543892e1a3f0019e7f041032531ff69839bc9\r\nG DATA detection: Trojan.GenericKD.3048538 \r\nInteresting fact: due to a coding error the µTorrent Client is saved as uTorrent.exeuTorrent.exe instead of its\r\noriginal name, uTorrent.exe. The client is also detected by G DATA’s solutions as\r\nWin32.Application.OpenCandy.G.\r\nWin32.Application.OpenCandy.G is a Potentially Unwanted Program (PUP). It is installed alongside legitimate\r\nfreeware such as PDF readers, archive programs, media players and other applications which are bundled with the\r\nsoftware. The software which is detected as Win32.Application.OpenCandy.G is developed by SweetLabs, a\r\ncompany based out of San Diego, CA, USA. This PUP changes the browser’s behavior by modifying its home\r\npage as well as search engine settings. Users are then redirected to potentially unwanted websites and it displays\r\npop-up notifications. The reason for those changes is the generation of profit through displaying advertisements.\r\nWhat Manamecrypt does on an infected PC\r\nThe malware has several functions: it encrypts the user’s files and it blocks certain programs on the PC. This type\r\nof behavior has been unheard of so far. \r\nThe encryption is also fundamentally different from the likes of Locky, Petya or Teslacrypt which made the rounds\r\nfor the past few weeks. Manamecrypt takes the data it wants to encrypt and copies it to a .RAR file (a type of\r\narchive file, similar to .ZIP), and encrypts this archive with a password. The original files are then deleted. The\r\nfollowing file types are encrypted:\r\n*.3g2 *.3gp *.7z *.asf *.avi *.doc *.docx *.flv *.gif *.jpeg *.jpg *.m4v *.mov *.mp4 *.mpeg *.mpg *.pdf\r\n*.png *.ppd *.pps *.ppt *.pptx *.psd *.qt *.rm *.tiff *.txt *.wmv *.wpd *.wps *.xlr *.xls *.xlsl *.zip\r\nhttps://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nPage 2 of 7\n\nManamecrypt shows its demands\r\nBesides encrypting the files, Manamecrypt prevents certain applications from running if they have certain strings\r\nin their process name. For instance, a frequently used analysis tool was shut down very quickly by the malware:\r\nThe word \"monitor\" in the process name triggers the malware's action\r\nIf the ransomware comes across a window which contains the following strings, it terminates the corresponding\r\nprocess immediately: \r\nad-aware facebook registry editor\r\namazon game rune\r\nanti virus instagram shop\r\nanti-virus internet security sophos\r\nantivirus kaspersky steam\r\nhttps://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nPage 3 of 7\n\navg lol system configuration\r\navira mcafee system restore\r\nbitdefender meetme task manager\r\nbullguard monitor trend micro\r\ncomodo netflix tumblr\r\ndebugger norton twitter\r\ndr.web obfuscator vimeo\r\nebay origin vipre\r\neset pinterest youtube\r\nf-secure registry  \r\nTechnical details\r\nWhen executed, a new entry called „software“ is added to the registry at\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. This enables the malware to run at boot-up. \r\nFurthermore, the following files are created:\r\n%APPDATA%\\cryptohost.exe (The actual ransomware binary, a copy of the sample)\r\n%APPDATA%\\processor.exe (WinRAR command line tools)\r\n%APPDATA%\\files (a list of file names with encrypted files)\r\n%APPDATA%\\[Encrpted_RAR_with_generic_name]\r\nIn addition, the following key is written to the registry:  „HKCU\\Software\\VB and VBA Program\r\nSettings\\software\\setting\\“ - The amout of Bitcoin to be paid as well as the remaining time are stored in here. \r\nTo decrypt, processor.exe is called as follows: „processor X -o+ -pEncryptedRarArchiveNameUserName\r\nEnryptedRarArchiveName.rar C:\\Users\\UserName\\Desktop“.\r\nIt is possible to get your data back!\r\nIn its current implementation, the ransomware is actually susceptible to attacks. Victims can restore their data. The\r\npassword for the RAR file consists of the following components:\r\nSHA1Hash(Win32_processor.processorID + VolumeSerialNumber_Volume_C +\r\nWin32_BaseBoard.SerialNumber) + username\r\nResearcher at PCRisk.com reported that the password for RAR files created by their sample of Manamecrypt\r\nconsists of “the name of the .RAR file + computer name.” According to our results, it is a combination of the\r\nhttps://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nPage 4 of 7\n\n.RAR file’s name and the user name instead of the computer name. \r\nThe SHA1 is the name of the .RAR file. The user name can be determined as follows: press the Windows key + R;\r\nthen enter cmd and press Enter. In the newly opened command line window, enter echo %username% and press\r\nEnter again. The displayed string is the user name.\r\nExample: The .RAR file is called 123456789ABCDE and the Username is JDoe. The password therefore is\r\n123456789ABCDEJDoe\r\nIn case the password is entered correctly, Manamecrypt releases the date\r\nSummary\r\nRansomware remains one of the most obvious threats within the past weeks. Manamecrypt/Cryptohost differs on\r\nsome aspects from malware which was observed before. The mode of propagation, encryption method and\r\nblocking of programs are the most prominent differences. Also, experts were able to provide a way of decrypting\r\nfiles in a very short time. Still, prevention is the method of choice in the battle against file-encrypting malware.\r\nThe following tips are a good foundation for an effective defense.\r\nHow to protect yourself – prevention is the key\r\nInfection with such an encryption Trojan is fatal for the afflicted users and companies and, in many cases,\r\ndecrypting the data without the appropriate key is extremely resource-intensive, even impossible. Looking at\r\nManamecrypt/CryptoHost, it is possible to decrypt the files of the current attacks.\r\nPaying the ransom is no guarantee that the data will be decrypted again by the attackers. An extortioner can\r\nsuddenly demand more money to release the data, or encrypt the data once again at a later date via a backdoor in\r\nthe system and demand money again – even when it at first appears that he has kept his promise and released the\r\ndata.\r\nIn the investigations to date, Manamecrypt is not conspicuously using such a backdoor, as other malware families\r\ndo.\r\nThe payment demanded is generally made via e-Payment systems that provide anonymised accounts and payment\r\nmethods - in the current case: Bitcoin. Hence, if the extortioner fails to do anything about the decryption despite\r\nthe payment being made, the money cannot be reclaimed or tracked. So making a payment implies risk in all sorts\r\nof ways.\r\nhttps://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nPage 5 of 7\n\nConsequently it is particularly important that preventive steps are taken against this type of malware, and that a\r\ncomprehensive security concept is in place.\r\nUse a comprehensive security solution\r\nGet a comprehensive solution that includes not just a virus scanner but also proactive technologies for fending off\r\npreviously unknown threats. Obviously the protective software should also monitor the email inbox. Always keep\r\nthe security solution installed on the computer fully up-to-date. \r\nDownload software from the producer's website\r\nIn this current case, the ransomware component was bundled with a legitimate program - a classic Trojan horse.\r\nOur advice: download needed/wanted software from the producer's website only or from trusted download portals.\r\nWhere possible, do not download it from third-party-sites.\r\nCreate backups\r\nRegular backups ensure that you are less dependent on the data on the computer. This is not only advantageous in\r\nthe event of a malware infection, but also if the system suffers a technical failure. Store the backups offline, i.e.\r\nseparate from the computer being used. Some ransomware tracks down and encrypts data stored on network\r\ndrives, attached USB sticks, connected external hard drives and in the Cloud.\r\nCarry out updates\r\nSoftware programs contain both small and major bugs that are found and removed over time. Once the developers\r\nhave improved (\"patched\") the program, they expect end users to update the product. Malware – including\r\nransomware – can be smuggled onto computers via unclosed vulnerabilities.\r\nEnd users should regularly look out for updates or patches and, where available, install them immediately.\r\nSoftware and operating systems frequently offer automated availability checks for updates, making it easier for the\r\nuser to stay up to date. In the business world, one refers to Patch Management. The list of software to be updated\r\nincludes both installed programs and the operating system and, above all, the browser and all available plug-ins\r\nused in conjunction with the browser. \r\nCheck email attachments before opening them\r\nAs is seen with e.g. Locky or Teslacrypt, emails act as a gateway for this type of malware. Therefore attachments\r\nfrom unknown sources should never be opened without thinking – especially not if they are executable files.\r\nThese days, many email services will block the sending and receipt of executable files; therefore the attackers use\r\nindirect means, by making the addressees click on a link or by packing the files into archives, as in this case.\r\nBy all accounts resist the urge to satisfy your curiosity, even if you appear to have received an overdue notice or\r\nindeed a copy of the salary scale. Regard attachments from internal staff with a critical eye as well. Senders'\r\nnames can be faked.\r\nhttps://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nPage 6 of 7\n\nIf you know the sender or at least have contact details for him/her, use a second channel (e.g. telephone) to ask if\r\nthe email has actually come from that person before opening the attachment.\r\nDisable the automatic execution of macros\r\nThe execution of macros is disabled by default in modern Microsoft Office products, for security reasons. Check\r\nthe current settings for the product you are using and adjust them in case necessary. Microsoft also advises to\r\ndisable macros.\r\nRelated articles:\r\nSource: https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nhttps://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route"
	],
	"report_names": [
		"28234-manamecrypt-a-ransomware-that-takes-a-different-route"
	],
	"threat_actors": [],
	"ts_created_at": 1775434731,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/76bc02ea2415e0e97e889db1ff15060e334f0f51.pdf",
		"text": "https://archive.orkl.eu/76bc02ea2415e0e97e889db1ff15060e334f0f51.txt",
		"img": "https://archive.orkl.eu/76bc02ea2415e0e97e889db1ff15060e334f0f51.jpg"
	}
}