Once KEYHolder is installed on a computer it will scan all of the drive letters on the computer and encrypt any data files that are found on it. When it has finished encrypting your data files it will clear all Shadow Volume Copies on the affected computer so that you are unable to restore your files via System Restore or using a program like Shadow Explorer.
KEYHolder will also create the HOW_DECRYPT.gif and HOW_DECRYPT.html files, shown at the bottom of this post, in each folder that files were encrypted. These files contain information on how to access the ransom payment site.
The text of the How_Decrypt.gif image is:
YOUR PERSONAL FILES ARE ENCRYPTED
All files including videos, photos and documents on your computer are encrypted.
File Decryption costs ~$500
In order to decrypt the files, you need to perform the following steps:
1. Your should download and install this browser http://www.torproject.org/torbrowser.html.en
2. After installation, run the browser and enter the address: mwyigd4n52mkbyhe.onion
3. Follow the instructions on the web-site.
We remind that you that the sooner you do, the more chances are left to recover the files.
Guaranteed recovery is provided within 10 days.
When you go to the KEYHolder website, you will be shown the current ransom amount, instructions on how to make a payment, and the bitcoin address you should send a payment to. This page will also contain a field where you can submit the transaction ID for your ransom payment. When the payment becomes verified you will be able to download the decrypter. A screen shot of the KEYHolder web site can be seen below.
KEYHolder User Cabinet Site
As more information about this infection becomes known, we will update this post. Please feel free to provide any info you may have in this topic. If you have any samples of the actual infection, please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3.