A new contender in the ransomware space has burst onto the scene in the last few days. Known as KEYHolder malware, it follows in the same vein as CryptoLocker, CryptoWall, CryptoDefense, and similar members of the Locker family of malware.A technician at one of our partners, Todd G. at Compass Network Group, reported the following in his early analysis of this malware:
- It infects random files in folders, not alphabetically as seen in previous iterations of the type.
- It can affect all file types, not just those in the infamous Registry key added by the original CryptoLocker.
- The malware will copy the files, encrypt the copy, and delete the original. This technique would prevent VSS from operating properly on the files as they’re technically “new.”
- Like the others, it goes after both physical and mapped (network) drives.
- Like CryptoDefense and newer variants, it drops a HOW_DECRYPT file in the folders that have encrypted files.
So far, the only way to be sure that your files are safe and completely accessible is a full restore of the system, due to the random infection method listed above. As the originals are being deleted, file recovery software such as Recuva or GetDataBack may be able to help as well, but that method may not be viable for the systems that are used often (e.g. file servers).
Below is a screenshot of KEYHolder at work:
Our contact was not able to verify a vector for infection, either, so consider this one capable of being installed as a drive-by download as well as an email-based infection.
We’ll keep an eye on things and update this blog as we learn more. The helpful folks at BleepingComputer.com are also looking into it and have a thread for tracking the malware here as well, so keep an eye on that thread too for the latest.
Again, we just want to extend our thanks to our Partner, Todd G. for the heads-up!