It seems like it never ends… It seems that Malware is cropping up quicker than the industry can update the virus definitions and today is not different. But there appears to be a new variety of Ransomware that has recently hit the market. From what the industry has found so far, KEYHolder appears to be from the same folks that were behind Cryptorbit. It goes by the name KEYHolder. Although Ransomware may seem like a relatively new type of attack, it actually goes back to the “AIDS” Trojan (also known as “PC Cyborg”) as far back as 1989. In other words, they are really good at making, and propagating, this type of attack.
Like other Ransomware, KEYHolder will encrypt files (anything/everything from documents, music, videos to images, etc.) on any attached drives, including network mapped file shares. Once the encryption is complete, a ransom of $500 is demanded for the unlock key. The user is directed to download a Tor compliant browser and make the ransom payment through a Tor masked server.
It is thought, although no one is positive at this point, that the initial infection occurred via email. As this is still developing, the industry as a whole is working to mitigate this threat, there is still much speculation around KeyHolder. There is some chatter in the security community about infections happening through direct control of systems from the outside, but we have seen no evidence of this. Source files are still being investigated and signatures, to mitigate the risks will be updated by Antivirus vendors as quickly as possible.
This is a very valid, potential threat. Until more is known, and the industry has released fully functioning definition files to reduce the related risks, it is strongly recommended that you inform your users of the following:
1. Do NOT open attachments from unknown senders. While we have seen Ransomware attacks sourced from watering hole attacks, or social harvesting attacks, the vast majority are coming in through email via spear-phishing attacks.
2. Backup often.
3. Do not click on links that seem suspicious
4. Do not allow any software that you do not know the origins of to be installed on your system.
5. Keep endpoint security versions update
6. Keep endpoint signatures up to date
7. Contact BizTek support staff if you have any doubt about your current level of protection, or suspect that you are infected in any fashion.
Malware in any variety, is a pain, even in it’s simplest form. But some, such as Ransomware and other, can bring your business to its knees. If you are not confident that you have this base covered, give us a call.