Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


KeyBTC, a simple yet effective encrypting ransomware

  • Please log in to reply
2 replies to this topic

#1 Grinler


    Lawrence Abrams

  • Admin
  • 43,714 posts
  • Gender:Male
  • Location:USA
  • Local time:09:48 PM

Posted 20 November 2014 - 09:42 AM

KeyBTC, a simple yet effective encrypting ransomware

Where current ransomware typically acts like a business with their own dedicated customer support web site, KeyBTC instead uses a collection of free or open source software to encrypt the infected computer's data and e-mail to communicate with the victim. Previous variants of this infection were targeting Russian speaking countries, but over the last week it has started to target other regions and has changed its ransom note from Russian to English. Once a computer has been infected and its data is encrypted, the only way to recover the files is to pay a ransom to the malware developer who will then send the computer's decryption key.

Read.txt Ransomware Instructions

This ransomware is distributed via SPAM emails that pretend to be shipment or postal notifications. Attached to the emails are ZIP files containing what appear to be Word documents, but are rather Javascript files. When you double-click on the file it will download a variety of files, create a unique encryption key that is stored on the computer, and then use that key to encrypt the computer's data with PGP/RSA encryption. Any data that is encrypted will have its extension changed to .keybtc@inbox_com. The ransomware will then encrypt the computer's encryption keys with a master key only known to the developer, so that the user is unable to decrypt their files.

How files will appear after being encrypted

The encrypted file containing the computer's decryption keys and other assorted information are then stored in the files called File1.bin and File2.bin on the Windows desktop. The ransomware will now display the Read.txt screen shown above, which contains instructions on sending an email to keybtc@inbox_com to find out the ransom amount. These same instructions also tell you to send them File1.bin, File2.bin, and an encrypted file attached to this email. The malware developer can then use their master decryption key to recover the computer's encryption keys from File1.bin and then send back the decrypted copy of the file you sent to prove they can do so.

What makes this ransomware so brilliant is that the malware developer never needs to store the decryptions keys generated on each infected computer. Instead these decryption keys are stored in an encrypted file that stays on the computer. Now the developer only needs to save one master decryption key that only they possess. This master decryption key can then be used to decrypt the computer's encrypted key file once the ransom is paid, which can then be used to decrypt the computer's files.

What makes this ransomware so dangerous is that it is extremely portable and does not have a Command & Control server for the authorities to seize. The developer only has to know one key that can be stored on a USB key and carried around with them. They also can decrypt an infected computer's encryption key file from any computer and send it via email. That means it’s very hard for the authorities to track them and seizing a server used by the developer won't provide any decryption keys for the infected users.

Unfortunately there is currently no way to restore the encrypted files unless they have a backup. This is because the ransomware securely deletes the original files and clears all of the computer's shadow volume copies. Therefore, if you plan on paying the ransom or hope that one day the authorities will retrieve the master decryption key, it is important for you to save the File1.bin and File2.bin files found on the Windows desktop. The File1.bin file contains the computer's encrypted key file and the File2.bin contains other assorted information that may be useful later.

Finally, to prevent installation you can use Symantec's NoScript tool. NoScript.exe will disable the Windows scripting host on the computer so that you are unable to launch JS files like the ones this ransomware uses. This could cause interference with normal programs, so you can always revert the changes with the same tool if necessary.

Symantec's NoScript Tool

As always, since this program operates out of the %Temp% folder, using a tool like CryptoPrevent will also make it so the ransomware cannot be run. We have a special deal on CryptoPrevent here for BC users: 30% off CryptoPrevent and dMaintenance Home Edition from Foolish IT

Advanced Technical Information

This infection is spread through emails that pretend to be shipment or postal notifications that contain zip file attachments. These zip files contain what appear to be a Word document, but are actually JavaScript (.JS) files that are named similarly to Postal_Notification__0000863254.doc.js. When a user double-clicks on the JS file, it will start to download the files required to encrypt the infected computer's data. Instead of the malware developer creating their own program to encrypt the user's data, KeyBTC instead relies on a collection of programs and scripts bundled together into a ransomware kit. The programs that are downloaded as part of this kit are:
  • The open source GnuPG program, which is used to encrypt the user's files with PGP/RSA encryption.
  • SDelete from Microsoft to delete the user's original files in a way that makes them unrecoverable.
  • A Windows command script that executes the commands that encrypt the user's data and leave the ransom note.
  • A Ad Clicker Trojan that constantly clicks on ads in the background.
Once all of the files are downloaded, KeyBTC will execute GnuPG and create a unique encryption and decryption key for the infected computer. These keys are saved in a file called %Temp%\secring.gpg on the user's computer and are not uploaded to the malware developer. The infection will then start encrypting any data files that have a *.mdb , *.pdf , *.rtf , *.accdb , *.slddrw , *.zip , *.rar , *.max , *.jpg , *.xls , *.xlsx , *.doc , *.docx , *.cdr , *.dwg , *.1cd , or *.cd extensions using the encryption key it previously made. When encrypting the files an encrypted copy will be made and then SDelete is used to securely delete the originals. Any files that are encrypted will have their extension changed to .keybtc@inbox_com. It will also clear the Shadow Volume Copies so you are unable to restore the computer's files via Shadow Explorer.

When it has finished encrypting any data files, the script will then encrypt the secring.gpg file that contains the computer's unique encryption and decryption key. These files will be encrypted with a developer’s master public key that is the same for every infected computer and known only by the developer. This makes it so the user cannot decrypt their files using the decryption key stored in the b]secring.gpg[/b] file. It will then create the File1.bin and File2.bin files that contain a list of the encrypted files, the computer's encrypted decryption key, the date they were encrypted, the computer name, and other information and then encrypt these two files with the same master public key.

Master Public Encryption key only known by malware developer

Finally, the ransomware will display the READ.TXT file from the Windows desktop, which contains instructions on sending an email to keybtc@inbox.com to find out the ransom payment amount and how to make the payment. A screenshot of the READ.TXT file can be seen above. The instructions also state that you need to send the File1.bin (computer's encrypted key file), File2.bin (contains assorted information), and an encrypted file as attachments in the email. The developer will then use their master decryption key to decrypt the computer's secure.gpg file in order to send you back a decrypted copy of the file you sent. This is to prove that they are able to do so.

Once you pay the ransom, the developer will send back the decrypted secure.gpg file and instructions on how to use it to decrypt the computer's files.

Files associated with CoinVault:


Registry entries associated with CoinVault:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WinHelp	%Temp%\READ.TXT

BC AdBot (Login to Remove)


#2 SuperLDClark


  • Members
  • 3 posts
  • Local time:09:48 PM

Posted 20 November 2014 - 09:27 PM

These ransomware viruses have really gotten out of control.  I am assisting a client that was hit with Cryptowall 2.0 almost a month ago to recover their data.  This is ridiculous.

#3 rarson


  • Members
  • 45 posts
  • Gender:Male
  • Local time:10:48 PM

Posted 21 November 2014 - 10:20 AM

While I'm constantly baffled by people who open random email attachments or click on links in emails that are obviously written in broken English, I will say that Microsoft deciding to hide file extensions within the operating system by default is one of the dumbest things they've ever decided to do. I'm not sure why Microsoft thinks that hiding information from the user is a good idea, but many of default settings on most of their operating systems do exactly this, which only fosters a culture of technologically illiterate computer users.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users