Recovering Files Encrypted by KeyHolder Ransomware

by Jordan Spencer Cunningham on

A merry Christmas, indeed! There’s not much snow here in the northwest, and to top that off, a new ransomware malware variant has surfaced, infecting untold numbers of small business and home computers throughout the country. You’re likely here because you or your client has been attacked by this ruthless plague, and you want nothing for Christmas other than to recover those encrypted files. You have been visited by the Ghosts of Backups Past, Present, and Future, and now you exclaim, like Scrooge of Dickens fame, “I will honour Backups in my heart, and try to keep them all the year. I will make Backups in the Past, the Present, and the Future. The Spirits of all Three shall strive within me. I will not shut out the lessons that they teach!” You have learned your lesson to make backups nightly, if not more often, but this hard-won knowledge cannot bring back your corrupted data. Is there any way to get that data back without paying the scum that took it in the first place?

Well, probably.

UPDATE: Probably not, I’m afraid. I’ve confirmed with people who have analyzed the virus in minute detail down to how each byte is encrypted, and they’re 100% certain that the virus does not copy files, encrypt the copies, and then delete them; they rather just encrypt the original. This renders my theory of recovery moot, though if you’re desperate, please feel free to read on and give it a try. It never hurts to try. I would still recommend initiating the purchase of some Bitcoin as it takes four or more days for Bitcoin to process from your bank account, and it’s less likely that you’ll be able to recover your files if you pay the ransom after ten days. If you are able to recover the files before you pay the ransom, you can always transfer the Bitcoin back into your bank account or use it to buy stuff at Newegg.

Keyholder Ransom NoteBefore going forward, I strongly recommend you verify you have successfully removed KeyHolder by downloading and installing Malwarebytes, and running a custom scan with the “Scan for Rootkits” option enabled. It will be better if you reboot into safe mode to do this– people are reporting that KeyHolder isn’t running in safe mode, so at least Malwarebytes can work to remove the malware without it continuing to encrypt files.

I’d also recommend following this topic over at Bleeping Computer. I’m known as weildish over there.

Now– you’ve removed KeyHolder and have decided to reserve a special seat in hell for the person who created it. Let’s try to recover your files without helping to fund more of this criminal activity.

I’ve spent hours trying to find ways to reverse engineer the encryption on files, but thus far we don’t have any way of doing that. I have faith that the guys over at Bleeping Computer, particularly the user DecrypterFixer (AKA Nathan), will find a way to reverse engineer the encryption just like they have for other ransomwares. In the meantime, though, we have nothing.

Except for this:

Recovering KeyHolder Encrypted Files Using a Deleted File Recovery Utility

After a lot of research and file analysis, it appears that KeyHolder doesn’t actually encrypt the original file but goes through this process:

  1. Copies the original file
  2. Encrypts the copy
  3. Deletes the original

This means that the original files should still exist on the hard disk as long as you haven’t written gratuitous amounts of data to that disk. Basically, when files are deleted, they’re not immediately removed from the disk but are simply marked by the file system as deleted and are available to be overwritten. This is seen as free space to the end user. As long as that part of the disk has not been overwritten by other data, you can recover the files located there by using any one of a number of file recovery tools.

The tool I’ve been using for this is Piriform’s Recuva, a free file recovery utility. In the testing I’ve been doing on a client’s machine, the quick scan in this application doesn’t find any deleted files. However, using the deep scan option, I’ve been able to thus far find ~20,000 deleted files, most of which I am fairly certain are original files that were deleted by KeyHolder.

I recommend having Recuva scan your entire drive for deleted files and not just one folder location. I haven’t had luck finding recovered files in just one folder, but I have had luck finding them by searching from the drive root.

Also, it doesn’t look like Recuva has any way of recovering the metadata concerning the file: no created or modified dates, no information on the file path it was stored, and not even the file name. So if you have files whose identification relies wholly on those bits of information, such as thousands of x-rays, then this probably won’t help much even though you will still likely be able to get the files recovered. However, if you have files whose contents will adequately identify them, then all you’ll need to do is open up each file and rename it accordingly and move it to the proper location.

Finally, if you have a large drive with a large amount of files, it could take a long time to run this deep scan. I mean, a really long time: mine right now is 1% complete after running for maybe an hour or two and has an estimated time left of four days. The way I’ve verified that it’s actually finding things is by cancelling the scan after half an hour or so. I’ve had to start over, but at least I’ve verified that it’s working and have recovered some sample files with which to work.

If you have luck with this method, please let us know by commenting below or sharing your success at the Bleeping Computer topic. I am still experimenting with this, so I’d be interested to know more certain results.

Final note: I’ve had an idea that may be able to help discover the location of these files after they’re recovered and restore them to their original locations, overwriting the encrypted copy. It’s just a theory, and I currently don’t have a way of testing the theory because I don’t have the software to do it, but I’m researching. If we could compare certain chunks of every encrypted file with the corresponding chunks of all of the recovered original files, it should be possible to identify which encrypted file corresponds to which original file and then replace the encrypted file with the original file in the proper file location. My programming skills are more web-centric and automation-centric, and even then I’m still gathering knowledge. If anyone else has developed skills more than I have and may be able to help me design this tool, I would be interested in collaborating with you.