Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New KEYHolder ransomware brought to you by the same developers of CryptorBit


  • Please log in to reply
23 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:31 AM

Posted 11 December 2014 - 05:41 PM

A new ransomware has been released called KEYHolder that is from the same developers of CryptorBit. Like CryptorBit, this infection encrypts your data files and then demands a ransom of 1.5 bitcoins to get a decryptor for your files. Unfortunately we have not been able to find an installer of this infection, so it is currently unknown as to how this ransomware infects a computer. The current theory is that the group behind KEYHolder is manually hacking remote desktop and terminal service computers and installing the infection. As we learn more, we will update this topic.

When KEYHolder is installed it will scan the computer's drives for data files and encrypt them. Once it is done, it will wipe all the restore points and shadow volume copies on the computer so that the victim is unable to use them to restore the original data. KEYHolder will also place HOW_DECRYPT.gif and HOW_DECRYPT.HTML ransom notes in every folder that it encrypts a file.

how_decrypt-gif.jpg
HOW_DECRYPT.GIF


The ransom notes contain information on how to access the malware's TOR site, which contains information the current ransom amount, the bitcoin address that the ransom should be sent to, and the ability to check if the payment has been received.

keyholder-user-cabinet-site.jpg
KEYHolder User Cabinet Site


Currently KEYHolder uses a set of bitcoins addresses and assigns them randomly to various victims. The list of known bitcoin addresses used by KEYHolder is:

1KVYrbkenyuQViS15vuGJMaSCMQtkWiGPF
1FfcdymPaSY7rsmjCXhMyFKBm7VoK5vhdp
16P6hP2b99qyu82tNBSSYSV4aupP6gosw7
1AZ5RprWNYiY3ucWybA3UmTgpfT4X4mqwD
161C2Shjj6fxfxsFCjzL3ZDXmuof2tjPDp
14zSXJj66nQzyjhhqfDQ5mtb8hjeG8k5CD
1GggZUSnrdpem8oxyEczqbctYvccwxJCon


We have a dedicated support topic setup for people to receive help and get more information about KEYHolder. I suggest all affected or interested visitors subscribe to this topic to get notifications as new posts are made. This topic can be found here:

KEYHolder Support and Discussion Topic



BC AdBot (Login to Remove)

 


m

#2 Nathan

Nathan

    DecrypterFixer


  • Security Colleague
  • 1,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:31 AM

Posted 12 December 2014 - 01:13 AM

Keyholder victims,

 

If you are considering paying the ransom to get your files back, please email me at decryptorbit@outlook.com first before paying the ransom to discuss other options and help first.

We apologize that this event has happened and it can always be a difficult time when dealing with these kind of infections.

 

Thanks.


Have you performed a routine backup today?

#3 PerSempre

PerSempre

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 12 December 2014 - 05:21 AM

I'm afraid I'm a victim as well.

One of our workgroup's computers got infected. 

I don't mind the computer as it holds no important information: I can wipe it clean.

Worse is that an important mapped network share on our NAS is affected: all files encrypted and in every folder you can now find the how_to_decrypt html and gif.

 

Every night backups are made (each time overwriting the previous backup). Normally this is ok, as problems are usually detected during the day. But the encryption took place last night just before the backup, so now my only go-to is an offsite backup, but this backup is only scheduled monthly and what do you know: worst possible timing: it has been 29 days since the last backup (so all files addes/modified in the last 29 days) are currently lost ...

 

Is there no way to restore? Is Shadow Explorer definitely not an option? 

Something else? 

I have not touched the infected computer since we noticed the infection/encryption issues: I only turned it off to prevent further damage.

I'm not nearly in the possibility (and willingness for that matter) to pay the ransom of $500. But I was wondering: is that all real? Do they send decryption keys/software if you pay or is it - as I would expect - a matter of 'take the money and run'?


Edited by PerSempre, 12 December 2014 - 05:23 AM.


#4 PerSempre

PerSempre

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 12 December 2014 - 05:25 AM

Keyholder victims,

 

[...]

We apologize that this event has happened. [...]

 

Why do you apologize? Or you the guy behind this ransomware? :P



#5 TheBladeRoden

TheBladeRoden

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 12 December 2014 - 05:49 AM

Is there no way to restore? Is Shadow Explorer definitely not an option? 
Something else?


I was able to "previous version" individual files and folders. Then I'd thought I'd speed things up by doing a system restore. It seemed like it was working until it restarted, then Windows said the restore failed because one file failed to restore and that nothing was changed. Except now all the restore points and shadow volume were *poof*

So yeah I've had a lot of visits from Captain Hindsight the past four days

#6 PerSempre

PerSempre

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 12 December 2014 - 05:56 AM

I was able to "previous version" individual files and folders. Then I'd thought I'd speed things up by doing a system restore. It seemed like it was working until it restarted, then Windows said the restore failed because one file failed to restore and that nothing was changed. Except now all the restore points and shadow volume were *poof*


So yeah I've had a lot of visits from Captain Hindsight the past four days

 

 

Sorry to hear that, bro'. :-/

 

With your valuable hindsights in mind: how would you suggest me to go about to try to recover as much as possible, knowing I only shut down the computer (I have not used antimalware/AV-tools, no restore attempts, ...).

 

(I don't have any previous experience with Shadow Explorer btw)


Edited by PerSempre, 12 December 2014 - 05:56 AM.


#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:31 AM

Posted 12 December 2014 - 11:05 AM

(I don't have any previous experience with Shadow Explorer btw)


See here:

http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#shadow

#8 Kirbyofdeath

Kirbyofdeath

  • Members
  • 459 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Somewhere on Earth
  • Local time:03:31 AM

Posted 12 December 2014 - 11:25 AM

I was able to "previous version" individual files and folders. 

This may mean you can use shadow explorer to recover your files.



#9 CorneliousJD

CorneliousJD

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 12 December 2014 - 05:21 PM

Has anyone had any luck getting files back by paying the ransom? Unfortunately a client has gotten hit with this and they have a ton of data that is affected. They were in the middle of an initial seed backup to send to a cloud provider with all of their data when this happened, so latest actual local backup is 3 weeks old... 



#10 TheBladeRoden

TheBladeRoden

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 12 December 2014 - 05:27 PM

I was able to "previous version" individual files and folders.

This may mean you can use shadow explorer to recover your files.


Shadow explorer couldn't find any volumes on my C drive after the fateful reboot :(

#11 JettHudson

JettHudson

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:31 AM

Posted 15 December 2014 - 01:43 PM

Nathan I was hit with this too.   I think we are going to see alot of people posting here soon.  I would rather pay someone helping the good guys like Nathan than pay the ransom.



#12 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:31 AM

Posted 15 December 2014 - 01:57 PM

Any idea how you got infected? Any one check their Windows event logs for failed terminal services logins?

#13 TheBladeRoden

TheBladeRoden

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Local time:04:31 AM

Posted 15 December 2014 - 05:22 PM

Would that be under Event Viewer > Applications and Services > Microsoft > Windows> Terminal Services-LocalSessionManager?

#14 PerSempre

PerSempre

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:31 AM

Posted 16 December 2014 - 06:03 AM

Lesson learnt : backup!-backup!-backup!-BACKUP! Dont make assumptions: always consider worst-worst-worst-case scenario and take it into account as a plausible event when designing your backup-organisation. Use different media, use rotation, incorporate off-site backups. The cost of a couple of extra hard drives is nothing compared to the losses (and grief) you might suffer (especially if deep-down you know you could have prevented a calamity).

 

But if you're in this thread, you probably are well aware of that by now.

 

To those infected without proper backups: hang in there! I hope you'll be able to recover as much as possible! Don't give up! And try all solutions before even considering paying these @-holes ...

 

2 things:

 

- I have received a lot of excellent help of Nathan. Don't doubt the guy: he knows what he's doing. And when you're in a bad situation like this, you better listen to the experts ...

 

- I have isolated the computer that was responsible in infecting our network: the computer was shut down immediately after it encrypted the hard drives and the mapped network shares. Nothing else was done with the computer: no AV scan, no system restore, ... Does anyone of the specialists here want me to check some specifics on this machine before I wipe it clean?



#15 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,271 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:31 AM

Posted 16 December 2014 - 11:05 AM

No, you can go ahead and wipe. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users