Posted 11 December 2014 - 04:09 PM

There is a new ransomware called KEYHolder that encrypts your data with Cipher FeedBack XOR encryption encryption and then requests a ransom of 1.5 bitcoins to get a decrypter. At this time it is unknown as to how a computer becomes infected with KEYHolder, but it is felt that the malware group may be hacking into remote desktop or terminal services and manually installing the infection.Once KEYHolder is installed on a computer it will scan all of the drive letters on the computer and encrypt any data files that are found on it. When it has finished encrypting your data files it will clear all Shadow Volume Copies on the affected computer so that you are unable to restore your files via System Restore or using a program like Shadow Explorer.KEYHolder will also create the HOW_DECRYPT.gif and HOW_DECRYPT.html files, shown at the bottom of this post, in each folder that files were encrypted. These files contain information on how to access the ransom payment site.



HOW_DECRYPT.HTML

KEYHolder

YOUR PERSONAL FILES ARE ENCRYPTED

All files including videos, photos and documents on your computer are encrypted.

File Decryption costs ~$500

In order to decrypt the files, you need to perform the following steps:



1. Your should download and install this browser http://www.torproject.org/torbrowser.html.en



2. After installation, run the browser and enter the address: mwyigd4n52mkbyhe.onion



3. Follow the instructions on the web-site.



We remind that you that the sooner you do, the more chances are left to recover the files.



Guaranteed recovery is provided within 10 days.

The text of the How_Decrypt.gif image is:



HOW_DECRYPT.GIF

When you go to the KEYHolder website, you will be shown the current ransom amount, instructions on how to make a payment, and the bitcoin address you should send a payment to. This page will also contain a field where you can submit the transaction ID for your ransom payment. When the payment becomes verified you will be able to download the decrypter. A screen shot of the KEYHolder web site can be seen below.



KEYHolder User Cabinet Site

As more information about this infection becomes known, we will update this post. Please feel free to provide any info you may have in this topic. If you have any samples of the actual infection, please submit them to http://www.bleepingcomputer.com/submit-malware.php?channel=3