iSheriff is investigating a new form of Ransomware that goes by the name KEYHolder. KEYHolder appears to be from the same folks that were behind Cryptorbit. Like other Ransomware, KEYHolder will encrypt files (documents, music, videos, images etc.) on attached drives, including network mapped file shares. Once the encryption is complete, a ransom of $500 is demanded for the unlock key. The user is directed to download a Tor compliant browser and make the ransom payment through a Tor masked server.
Statements in this paragraph are from a still developing investigation and are subject to speculation or inaccuracy. As this is still developing, iSheriff is working diligently on this, and it is believed that the initial infections occurred via email. There is some chatter in the security community about infections happening through direct control of systems from the outside, but we have seen no evidence of this. Source files are still being investigated and signatures are to be updated as quickly as possible.
The security team at iSheriff wanted to make sure that you were aware of this potential threat, especially at a time of year when staff may be diminished by holiday travel. In the meantime it is strongly recommended that you inform your users of the following:
- Do NOT open attachments from unknown senders. While we have seen Ransomware attacks sourced from watering hole attacks, or social harvesting attacks, the vast majority are coming in through email via spear-phishing attacks.
- Backup often.
- Do not click on links that seem suspicious
- Do not allow any software that you do not know the origins of to be installed on your system.
- Keep endpoint security versions update
- Keep endpoint signatures up to date
- Use iSheriff Web, endpoint and email security to protect possible infection vectors.