Threat Database Ransomware KeyMaker Ransomware

KeyMaker Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 19
First Seen: August 31, 2017
Last Seen: October 5, 2022
OS(es) Affected: Windows

The KeyMaker Ransomware is an encryption ransomware Trojan. Like the many other encryption ransomware Trojans active currently, the KeyMaker Ransomware is designed to take victims' data hostage. To do this, the KeyMaker Ransomware will use a strong encryption algorithm to make the victim's files inaccessible. The KeyMaker Ransomware can take these files hostage by encrypting the victim's files. The KeyMaker Ransomware will hold the decryption key necessary to recover the affected files until the victim agrees to pay a large ransom. Security providers strongly advise computer users to avoid paying the KeyMaker Ransomware ransom. Computer users should take precautions against the KeyMaker Ransomware and other ransomware Trojan attacks, which have increased in frequency in 2017 substantially.

The Trouble Maker KeyMaker Ransomware

The KeyMaker Ransomware, like many other encryption ransomware Trojans, is based on HiddenTear. HiddenTear is an open source ransomware platform that was first published on Github in August of 2015. Since its release, originally for proof of concept purposes, HiddenTear has been adapted to create countless ransomware variants, with the KeyMaker Ransomware being one of the latest in a long line of nearly identical encryption ransomware Trojans. The KeyMaker Ransomware is delivered to victims through the use of spam email attachments mainly. The victims will receive spam email messages with attached Microsoft Word files that include corrupted embedded scripts. The KeyMaker Ransomware will be downloaded and installed onto the victim's computer by these scripts. The KeyMaker Ransomware receives its name because it uses the executable file KeyMaker.exe to run on the victim's computer and encrypt the victim's files.

How the KeyMaker Ransomware Attack Works

Once the KeyMaker Ransomware has been installed on the victim's computer, the KeyMaker Ransomware behaves in the same way as most other encryption ransomware Trojans. The KeyMaker Ransomware uses a strong encryption algorithm to encrypt the victim's files, target photos, texts, music, videos, databases, spreadsheets, configuration files, and numerous file types associated with software such as Microsoft Office, Libre Office, Adobe Photoshop, WinRAR, etc. The files encrypted by the KeyMaker Ransomware attack will be marked with the file extension '.CryptedOpps,' which is added to the end of each one of the affected files' names. Once the KeyMaker Ransomware encrypts a file, it will no longer be recoverable without a decryption program and a private decryption key, which the victims hold in their possession.

The Ransom Demanded by the KeyMaker Ransomware

The con artists responsible for the KeyMaker Ransomware will demand payment for their 'help' in recovering the affected files after taking over the victim's data. Typically, they demand a payment of USD 200 to be paid using BitCoins. The KeyMaker Ransomware delivers its ransom note in a text file named 'READ_IT.txt' that is dropped on the victim's desktop after the KeyMaker Ransomware has finished carrying out its attack. The full text of the KeyMaker Ransomware ransom note reads:

'Opps all your files have been encrypted with crytp0lock
You can unlock your files by paying 200 dollars in bitcoin
Send payment too bitcoin address [RANDOM CHARATCERS] you also can contact us at for other payments or questions.
You have 2 days to PAY before timer starts deletion of files.'

PC security researchers strongly advise computer users to avoid paying the KeyMaker Ransomware ransom. The con artists responsible for the KeyMaker Ransomware will rarely deliver a working decryptor and may, in fact, ask for more money or ignore the victim altogether. Even if the con artists restore the victim's files, paying the KeyMaker Ransomware ransom allows them to continue financing these attacks and victims that show a willingness to pay the KeyMaker Ransomware ransom once will very likely be targeted for attacks in the future involving similar threats. Do not to forget that new HiddenTear variants are released constantly. Instead of paying the KeyMaker Ransomware ransom, take preventive measures, such as having a reliable file backup system on the cloud or an external drive.


Most Viewed