Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KEYHolder Ransomware Support and Help Topic - HOW_DECRYPT.gif/HOW_DECRYPT.html


  • Please log in to reply
511 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 42,868 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:01 AM

Posted 11 December 2014 - 04:09 PM

There is a new ransomware called KEYHolder that encrypts your data with Cipher FeedBack XOR encryption encryption and then requests a ransom of 1.5 bitcoins to get a decrypter. At this time it is unknown as to how a computer becomes infected with KEYHolder, but it is felt that the malware group may be hacking into remote desktop or terminal services and manually installing the infection.

Once KEYHolder is installed on a computer it will scan all of the drive letters on the computer and encrypt any data files that are found on it. When it has finished encrypting your data files it will clear all Shadow Volume Copies on the affected computer so that you are unable to restore your files via System Restore or using a program like Shadow Explorer.

KEYHolder will also create the HOW_DECRYPT.gif and HOW_DECRYPT.html files, shown at the bottom of this post, in each folder that files were encrypted. These files contain information on how to access the ransom payment site.
 

how_decrypt.html.jpg
HOW_DECRYPT.HTML


The text of the How_Decrypt.gif image is:
 

KEYHolder
YOUR PERSONAL FILES ARE ENCRYPTED


All files including videos, photos and documents on your computer are encrypted.
File Decryption costs ~$500
In order to decrypt the files, you need to perform the following steps:

1. Your should download and install this browser http://www.torproject.org/torbrowser.html.en

2. After installation, run the browser and enter the address: mwyigd4n52mkbyhe.onion

3. Follow the instructions on the web-site.

We remind that you that the sooner you do, the more chances are left to recover the files.

Guaranteed recovery is provided within 10 days.


how_decrypt-gif.jpg
HOW_DECRYPT.GIF



When you go to the KEYHolder website, you will be shown the current ransom amount, instructions on how to make a payment, and the bitcoin address you should send a payment to. This page will also contain a field where you can submit the transaction ID for your ransom payment. When the payment becomes verified you will be able to download the decrypter. A screen shot of the KEYHolder web site can be seen below.
 

keyholder-user-cabinet-site.jpg
KEYHolder User Cabinet Site



As more information about this infection becomes known, we will update this post. Please feel free to provide any info you may have in this topic. If you have any samples of the actual infection, please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3.

BC AdBot (Login to Remove)

 


#2 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:01 AM

Posted 12 December 2014 - 01:16 AM

Keyholder victims,
 
If you are considering paying the ransom to get your files back, please email me at decryptorbit@outlook.com first before paying the ransom to discuss other options and help first.
It sucks that this has happened and it can always be a difficult time when dealing with these kind of infections.
 
Thanks.
Have you performed a routine backup today?

#3 CorneliousJD

CorneliousJD

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 12 December 2014 - 05:21 PM

Has anyone had any luck getting files back by paying the ransom? Unfortunately a client has gotten hit with this and they have a ton of data that is affected. They were in the middle of an initial seed backup to send to a cloud provider with all of their data when this happened, so latest actual local backup is 3 weeks old... 



#4 CorneliousJD

CorneliousJD

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 12 December 2014 - 08:01 PM

I did purchase the ransom, they provided the decryptor EXE file but it showed up as a virus according to ESET.

 

 

Variant of Win32/TrojanDownloader.Nymaiam.AB trojan

 

I copied it to a virtual machine, along with a test encrypted file from the infected system. 

 

I ran a full ESET Endpoint Anti-Virus scan with definition/database 10870 (latest at this time). Found no infections on a full system scan after running and removing the decryption tool.

It actually decrypted the file in question too. 



#5 slice092

slice092

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 13 December 2014 - 12:37 PM

I got infected with this while I was asleep, should I pay?
But is it not strange that the cryptoware is copying my .dat files to every folder that is encrypted?
They have raised the amount from 1.5 to 2
Can somebody adwise what to do?


Edited by slice092, 13 December 2014 - 01:31 PM.


#6 Geigs

Geigs

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 December 2014 - 03:55 PM

CorneliousJD

Can you send me the decryptor EXE file you purchased, or post it here so I can try it. I am also infected



#7 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:01 AM

Posted 13 December 2014 - 04:13 PM

Using another victims decrypter will NOT help you decrypt your files. It will only bring the possibility of corrupting your files, and if that happens their gone forever.

 

I have already looked into the decrypter, and its simply v3 of cryptorbit, which uses a XOR table and unique key. But its the the simple XOR you think.


Have you performed a routine backup today?

#8 Geigs

Geigs

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 December 2014 - 04:34 PM

Ok thanks for that info Nathan, 

 

So is there a solution to decrypte the files yet ?

Would file recovery software work in recovery the originals that were deleted ?

 

I have removed my infected hard drive and plugged into another computer, did a virus scan and found 3 infected files in the User folder, not sure if they are a result of this malware or not;

 

Detected: UDS:DangerousObject.Multi.Generic

Users\Mobile Editor\AppData\Local\Imsoft\wmdrEventTrust64.dll

 

Detected: UDS:DangerousObject.Multi.Generic

Users\Mobile Editor\AppData\Local\Ektion\Kctlagen3xx.dll

 

Detected: HEUR:Trojan.Win32.Generic

Users\Mobile Editor\AppData\Local\ornetdi.dll



#9 CorneliousJD

CorneliousJD

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 December 2014 - 08:57 PM

Geigs, if you have backups, that's your best bet. If not, try shadowcopies, I didn't have any available, seems like the virus portion disabled that, and then try file recovery software. GetDataBack is one I've used in the past. This particular user had TBs of data affected, and we were in the middle of doing an initial seed of data up to a a cloud backup provider, so no known good backups were available that were 100% full, so our option was to purchase the ransom unfortunately. I hated giving money to crooks, but we DID get the decryption tools after about 6+ hours after 1.50BTC payment.



#10 Geigs

Geigs

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 13 December 2014 - 11:49 PM

Ok I was able to use Shadow Explorer to recover files on my C drive, I also had another partition that this malware started to encrypt but system protection was turned off and was unable to restore any of the infected files. Fortunately the infected files were not that important.

 

I was fortunate it was not worse, I am wiping my windows partition and doing a clean install of Windows because my user files and AppData are infected.

 

Thanks Cornelious JD 

I hope there is a fix to decrypt infected files for other victims unable to restore their originals



#11 slice092

slice092

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 14 December 2014 - 05:11 AM

Found a run.vbs in startup with this code:Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell.Run"WYFNgjk.com hdAPzfjRiwK.YLH

The process was called start.ink
I sent a sample of it.

Edited by slice092, 14 December 2014 - 05:54 AM.


#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 42,868 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:01 AM

Posted 14 December 2014 - 10:38 AM

That may be part of it, but without the WYFNgjk.com and probably hdAPzfjRiwK.YLH files, there is not much to do with that.

Thanks

#13 slice092

slice092

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:01 PM

Posted 14 December 2014 - 11:01 AM

Got a folder named appcrash_WYFNgjk.com with in it a file report.wer.



#14 Murphy23x

Murphy23x

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:01 PM

Posted 15 December 2014 - 04:12 AM

One of my customers was infected 12-12 with this malware.

I managed to extract some files that seem malicious to me, I will submit them asap.

 

Right now I'm restoring from backup.



#15 TheBladeRoden

TheBladeRoden

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:09:01 AM

Posted 15 December 2014 - 06:01 AM

I keep getting popups every couple minutes of "conhost.exe - This application could not be started" though I'm not sure how to tell what exactly is trying to start the process.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users