Keylock Ransomware
Keylock has been identified as a ransomware threat. Ransomware is a type of threatening software that operates by encrypting a victim's files, effectively rendering them unreachable, and then demanding a ransom payment in exchange for the decryption key. In the case of Keylock, this damaging software encrypts the files located on compromised devices, and it appends a distinct '.keylock' extension to the filenames of these files. For instance, if a file was originally named '1.jpg,' it will be transformed into '1.jpg.keylock' after the encryption process, and this naming convention applies to all the files that are affected.
Furthermore, once the encryption process is finalized, Keylock generates a ransom note on the compromised device, which is typically titled 'README-id-[username].txt.' This ransom note serves as a communication channel between the attackers and the victim, providing instructions on how to make the ransom payment and potentially receive the decryption key.
Additionally, it's worth noting that Keylock not only encrypts files and creates a ransom note but also alters the victim's desktop wallpaper. This change is often made to reinforce the presence of the ransomware and the urgency of the situation, further pressuring the victim into complying with the attackers' demands.
Table of Contents
The Keylock Ransomware Seeks to Extort Money from Its Victims
Keylock Ransomware's desktop wallpaper serves to direct them toward the text file containing the primary ransom note. The ransom note within this file explicitly conveys that the victim's files have been rendered inaccessible through encryption. More disconcerting is the implication that the attackers have exfiltrated the victim's data, raising concerns about potential data exposure or misuse.
To regain access to their encrypted data, the victim is informed that they must obtain the unique decryption key, which is exclusively held by the attackers. The method for acquiring this crucial decryption tool involves paying a ransom, although the specific amount is not disclosed. The attackers state that they will accept only payments made using the Bitcoin cryptocurrency.
Victims are granted a limited 72-hour window to establish contact with the cybercriminals. If this crucial deadline is not met, the perpetrators threaten to take more drastic actions, which may include leaking or selling the collected victim's data. The cybercriminals offer to decrypt up to three locked files for free, provided that they do not exceed 2MB in size and do not contain highly valuable information.
Additionally, the ransom note issues stern warnings against any attempts to rename, modify, or delete the encrypted files, manual decryption endeavors, or the use of third-party recovery software or antivirus tools. These actions are discouraged because they may result in irreversible data loss, compounding the already dire consequences of the ransomware attack.
Essential Security Measures to Implement on Your Devices
Implementing strong security measures on your devices is crucial to protect them against malware threats. Here are five essential security measures to consider:
- Use Anti-malware Software: Install reputable anti-malware software on your devices. These programs can detect and remove various types of malware, including viruses, spyware and ransomware. Keep the antivirus software updated to ensure it can identify the latest threats.
- Structured Software Updates: Keep your operating system and all installed software up to date. Malware often exploits vulnerabilities in outdated software. Manufacturers release security patches and updates to fix these vulnerabilities, so regularly applying these updates is essential.
- Firewall Protection: Enable a firewall on your device. Firewalls act as a barrier between your device and potential threats from the internet. They can block unauthorized access and incoming malicious traffic. Many operating systems come with built-in firewalls that can be enabled.
- User Awareness and Safe Browsing Practices: Educate yourself and your users (if applicable) about safe online practices. Avoid accessing files or clicking on links from untrusted sources. Be cautious with email attachments and links and never share personal information with unknown or suspicious websites.
- Backup and Data Recovery: Regularly back up your data to an external or cloud storage. If experiencing a malware attack, you can bring back your files without paying a ransom or losing critical information. Ensure that backups are performed automatically and are stored securely.
In addition to these five essential security measures, it's crucial to exercise caution when downloading and installing software, especially from unverified sources. Be mindful of phishing attempts and unsolicited emails, and do not open attachments or click on links if you're unsure of their legitimacy. Also, consider utilizing a virtual private network (VPN) when accessing public Wi-Fi networks to protect your data from potential eavesdropping.
The full text of the ransom note created by Keylock Ransomware is:
'YOUR FILES ARE ENCRYPTED
Your files have been encrypted with strong encryption algorithms and modified and now have the '.keylock' extension!
The file structure was not damaged. Don't worry your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.
We guarantee that you can recover all of your data easily.We are give you full instruction. And help you untill decryption process is fully finished.
We can prove that we can decrypt all of your data. Please just send us 3 not important, small(~2mb) encrypted files, which are randomly stored on your server. Also attach your README-id.txt left by us in every folder.
We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.
If you will not start a dialogue with us in 72 hours we will be forced to publish your files in the public domain. Your customers and partners will be informed about the data leak.
This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases and personal data to interested parties to generate some profit.
Its just a business.
We absolutely do not care about you and your deals, except getting benefits.If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
If you wish to decrypt your files you will need to pay in Bitcoins.
If you want to resolve this situation, attach in letter this file README-id.txt and write to ALL of these 2 email addresses:keychain@onionmail.org
keybranch@mailfence.com
You can also message us on Telegram: hxxps://t.me/key_chain
IMPORTANT!
We recommend you contact us directly to avoid overpaying agents. You data encrypted and only WE ARE have decryption key. To decrypt your data you need just 1 hour, after payment, no more than.
We asking to send your message to ALL of our 2 email adresses and Telegram, because for various reasons, your email may not be delivered.
Our message may be recognized as spam, so be sure to check the spam folder.
If we do not respond to you within 24 hours, write to us from another email address.
Please don't waste the time, it will result only additinal damage to your company.
Please do not rename and try to decrypt the files yourself. We will not be able to help you if files will be modified.
If you will try to use any third party software for restoring your data or antivirus solutions, please make a backup for all encrypted files.
If you delete any encrypted files from the current computer, you may not be able to decrypt them.'
The message shown as a desktop background image is:
Find README-id.txt and follow the instruction.'
