When KEYHolder is installed it will scan the computer's drives for data files and encrypt them. Once it is done, it will wipe all the restore points and shadow volume copies on the computer so that the victim is unable to use them to restore the original data. KEYHolder will also place HOW_DECRYPT.gif and HOW_DECRYPT.HTML ransom notes in every folder that it encrypts a file.
The ransom notes contain information on how to access the malware's TOR site, which contains information the current ransom amount, the bitcoin address that the ransom should be sent to, and the ability to check if the payment has been received.
KEYHolder User Cabinet Site
Currently KEYHolder uses a set of bitcoins addresses and assigns them randomly to various victims. The list of known bitcoin addresses used by KEYHolder is:
We have a dedicated support topic setup for people to receive help and get more information about KEYHolder. I suggest all affected or interested visitors subscribe to this topic to get notifications as new posts are made. This topic can be found here: