Keylock Ransomware Uses Lengthy Ransom Note

ransomware

Our researchers identified Keylock as a type of ransomware program during a regular examination of new file submissions. Ransomware functions by encrypting files and then demanding payment for their decryption.

On our test system, Keylock encrypted files and added a ".keylock" extension to their filenames. For instance, a file originally named "1.jpg" became "1.jpg.keylock," "2.png" turned into "2.png.keylock," and so on for all affected files.

Once the encryption process was finished, a ransom note with the title "README-id-[username].txt" was generated. Keylock also altered the desktop wallpaper.

The wallpaper provided by Keylock guides the victim to the text file. The ransom note in this file explains that the inaccessible files have been encrypted and suggests that the victim's data has been taken.

To recover the data, the victim must obtain the unique decryption key held by the attackers. Obtaining the decryption tools necessitates paying an unspecified ransom in Bitcoin cryptocurrency. The victim is given 72 hours to contact the cybercriminals; failing to do so will result in the stolen company data being exposed or sold.

Before making any payments, the victim has the option to test the decryption process by sending up to three encrypted files to the attackers. These files should not exceed 2MB in size and should not contain valuable information.

The message also cautions against renaming, modifying, or deleting the encrypted files, attempting manual decryption, or using third-party recovery software or antivirus tools, as these actions could result in permanent data loss.

Keylock Ransom Note Threatens Leak 72 Hours After Attack

The full text of the Keylock ransom note reads as follows:

YOUR FILES ARE ENCRYPTED

Your files have been encrypted with strong encryption algorithms and modified and now have the '.keylock' extension!
The file structure was not damaged. Don't worry your unique encryption key is stored securely on our server and your data can be decrypted quickly and securely.
We guarantee that you can recover all of your data easily.
We are give you full instruction. And help you untill decryption process is fully finished.

We can prove that we can decrypt all of your data. Please just send us 3 not important, small(~2mb) encrypted files, which are randomly stored on your server. Also attach your README-id.txt left by us in every folder.
We will decrypt these files and send them to you as a proof. Please note that files for free test decryption should not contain valuable information.

If you will not start a dialogue with us in 72 hours we will be forced to publish your files in the public domain. Your customers and partners will be informed about the data leak.
This way, your reputation will be ruined. If you will not react, we will be forced to sell the most important information such as databases and personal data to interested parties to generate some profit.
Its just a business.
We absolutely do not care about you and your deals, except getting benefits.
If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.

If you wish to decrypt your files you will need to pay in Bitcoins.
If you want to resolve this situation, attach in letter this file README-id.txt and write to ALL of these 2 email addresses:

keychain@onionmail.org
keybranch@mailfence.com

You can also message us on Telegram: hxxps://t.me/key_chain

IMPORTANT!
We recommend you contact us directly to avoid overpaying agents. You data encrypted and only WE ARE have decryption key. To decrypt your data you need just 1 hour, after payment, no more than.
We asking to send your message to ALL of our 2 email adresses and Telegram, because for various reasons, your email may not be delivered.
Our message may be recognized as spam, so be sure to check the spam folder.
If we do not respond to you within 24 hours, write to us from another email address.
Please don't waste the time, it will result only additinal damage to your company.
Please do not rename and try to decrypt the files yourself. We will not be able to help you if files will be modified.
If you will try to use any third party software for restoring your data or antivirus solutions, please make a backup for all encrypted files.
If you delete any encrypted files from the current computer, you may not be able to decrypt them.

Why Do Ransomware Actors Use Data Leak Threats?

Ransomware actors use data leak threats for several reasons:

  • Increased Leverage: Threatening to leak sensitive data gives ransomware operators increased leverage over their victims. It adds an extra layer of pressure by making the victim feel that not only are their files encrypted and inaccessible, but their private and potentially damaging information could also be exposed to the public.
  • Higher Ransom Payments: Victims are more likely to pay a higher ransom amount when they believe that the stolen data is sensitive, confidential, or valuable. The fear of reputational damage, legal consequences, or financial loss can drive victims to meet the ransom demands.
  • Reputation Damage: Data leaks can severely harm an organization's reputation. If sensitive or private information is exposed, it can erode trust among customers, partners, and stakeholders. Businesses often want to prevent data leaks at all costs to protect their image.
  • Legal and Compliance Concerns: Data leak threats can create significant legal and compliance issues for organizations. Depending on the nature of the stolen data, organizations may be subject to regulatory fines and legal actions. Paying the ransom may seem like a way to avoid these potential consequences.
  • Public Shaming: Some ransomware groups use data leak threats as a tactic to publicly shame their victims. They may leak a portion of the stolen data or provide proof of the breach, which can lead to negative media attention and public embarrassment for the victim organization.
  • Pressure to Pay Quickly: The threat of data leaks often comes with a tight deadline, forcing victims to make quick decisions. This urgency can lead to hasty ransom payments to prevent data exposure.
By Zaib
October 19, 2023
Ransomware
English
October 19, 2023
Ransomware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Ransomware

69 Ransomware Uses Brief Ransom Note

There is a new strain of file-encrypting malware in the wild. The new ransomware is called simply the 69 ransomware and it has a ransom demand note that is as short and concise as its name. When the 69 ransomware is... Read more

July 26, 2022
Ransomware

Demon Ransomware Uses Terse Ransom Note

Demon ransomware is the name of a newly discovered ransomware variant. While there is no hard evidence that it belongs to any bigger ransomware family, some antivirus products are detecting it as a variant of the... Read more

September 14, 2022
Ransomware

RAMP Ransomware Uses Ransom Note in Ukrainian

RAMP ransomware is a new strain of file-encrypting malware. It was discovered in the wild in early November 2022 and does not seem to belong to a specific larger family. RAMP will encrypt files on the infected system... Read more

November 11, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.