Archive for December, 2014

Recovering Files Encrypted by KeyHolder Ransomware

by Jordan Spencer Cunningham on

A merry Christmas, indeed! There’s not much snow here in the northwest, and to top that off, a new ransomware malware variant has surfaced, infecting untold numbers of small business and home computers throughout the country. You’re likely here because you or your client has been attacked by this ruthless plague, and you want nothing for Christmas other than to recover those encrypted files. You have been visited by the Ghosts of Backups Past, Present, and Future, and now you exclaim, like Scrooge of Dickens fame, “I will honour Backups in my heart, and try to keep them all the year. I will make Backups in the Past, the Present, and the Future. The Spirits of all Three shall strive within me. I will not shut out the lessons that they teach!” You have learned your lesson to make backups nightly, if not more often, but this hard-won knowledge cannot bring back your corrupted data. Is there any way to get that data back without paying the scum that took it in the first place?

Well, probably.

UPDATE: Probably not, I’m afraid. I’ve confirmed with people who have analyzed the virus in minute detail down to how each byte is encrypted, and they’re 100% certain that the virus does not copy files, encrypt the copies, and then delete them; they rather just encrypt the original. This renders my theory of recovery moot, though if you’re desperate, please feel free to read on and give it a try. It never hurts to try. I would still recommend initiating the purchase of some Bitcoin as it takes four or more days for Bitcoin to process from your bank account, and it’s less likely that you’ll be able to recover your files if you pay the ransom after ten days. If you are able to recover the files before you pay the ransom, you can always transfer the Bitcoin back into your bank account or use it to buy stuff at Newegg.

[Read further…]