Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KeyHolder Ransomware, is this new?


  • Please log in to reply
42 replies to this topic

#1 TheBladeRoden

TheBladeRoden

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 December 2014 - 01:23 PM

YVLabD0.gif

 

It went through My Documents and partially or completely encrypted half the files but left the file name. In each folder it affected it left a how_decrypt.gif and howdecrypt.html. I tried cleaning it with Anti-Malware and then attempted a System restore. But upon rebooting Windows said system restore failed because one file could not be restored, but then all System Restore Points and Previous Versions for files were gone :( .

 

It seems similar to Cryptowall, but searching for anything called KeyHolder gets no results.



BC AdBot (Login to Remove)

 


#2 marinmarais

marinmarais

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 09 December 2014 - 01:47 PM

Me too! Keyholder. It gives me an error when trying to access explorer.exe, I'm desperate.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:21 AM

Posted 09 December 2014 - 01:58 PM

Do you know how you were infected? Did you open any files or open attachments from an email? Can you submit copies of the how_decrypt.gif, howdecrypt.html, and any other samples to http://www.bleepingcomputer.com/submit-malware.php?channel=3

Thanks

#4 julza

julza

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 09 December 2014 - 06:01 PM

Hi guys,

 

I also experienced this with a user at our company. I have submitted a copy of both attachments to the link provided. Let me know if you need more info before i blow this pc away and reimage it

 

Cheers

 

Julian



#5 TheBladeRoden

TheBladeRoden
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 09 December 2014 - 06:42 PM

I sent in how_decrypt gif and html and a sampling of encrypted files. Interestingly (maybe) for some reason the .txt files are totally chinese in regular Notepad but mostly readable in Notepad++



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:21 AM

Posted 09 December 2014 - 08:18 PM

Any chance you have the emails that infected you with this? Really need to take a look at the sample.

Thanks

#7 julza

julza

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:21 PM

Posted 09 December 2014 - 08:29 PM

I was unable to locate such an email in the users corporate email, they probably opened the link from their personal email (hotmail) 

 

Unfortunately the user was having an unrelated issue with Internet explore and a helpdesk team member directed them to clear their browser history, so I couldnt even look there!

 

the user did have a very old version of Java installed, which is where i believe hte infection has come from (exploit) Java was 6u31



#8 wizardfromoz

wizardfromoz

  • Banned
  • 2,799 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:21 PM

Posted 10 December 2014 - 03:44 AM

Don't know if this help or hinder, as I am new to this ransomware (working under an [almost] totally Linux environment), but this article, only five days old, may assist?

 

This, simply, from Googling "keyholder crypto"

 

Interesting was the reference to MYOB if that is any help.

 

Good luck, folks

 

:wizardball: Wizard



#9 Tommasone

Tommasone

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:21 AM

Posted 10 December 2014 - 03:46 AM

Yesterday i got the same infection on a PC in my company.

User says he didn't received strange emails and didn't opened strange links or attached files.

I don't' know how he got infected and i will know in order to stop similar infection on other PCs.

 

I noticed that the virus first starting crypting a network shared folder in which the user was working.

Major damage were made to this folder, less to the infected PC.

 

I think i can give you a copy of a file before and after the infection, if necessary.

Let me know.



#10 TheBladeRoden

TheBladeRoden
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 10 December 2014 - 03:54 AM

Welp it went through my external HDD too. That's gonna leave a mark.


Edited by TheBladeRoden, 10 December 2014 - 03:55 AM.


#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:21 AM

Posted 10 December 2014 - 05:48 PM

Still looking for installer. Hang in there!

#12 TheBladeRoden

TheBladeRoden
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 11 December 2014 - 08:21 AM

My lastest submission includes some supposed Adobe Flash installers that got flagged. Hope maybe they are the droids we're looking for.



#13 SaiTech

SaiTech

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 11 December 2014 - 02:33 PM

Hi,

 

We got "keyholder" to day, we do have an updated SCEP and Checkpoint IPS but we did not get any alert.


Edited by SaiTech, 11 December 2014 - 02:39 PM.


#14 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:21 AM

Posted 11 December 2014 - 02:41 PM

We are pretty sure we know what this infection is and who the developers are. We do, though, need an installer or decrypter if you have one. If you do please submit to http://www.bleepingcomputer.com/submit-malware.php?channel=3

I can tell you that the previous variant from these developers was incredibly hard to find an installer.

It is in my opinion that this infection is being installed by the attackers hacking remote desktop machines and manually installing the infection. If you were affected, please check your windows event logs and see if you see any failed logins recently in terminal services.

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:21 AM

Posted 11 December 2014 - 02:42 PM

Also there are a lot of sites offering scammy Keyholder removal guides. Ignore them. They are just trying to sell you something.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users