Remove KeyBTC Ransomware and Restore .keybtc@inbox_com Encrypted Files - How to, Technology and PC Security Forum |

Remove KeyBTC Ransomware and Restore .keybtc@inbox_com Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


An old ransomware seems to have emerged once again. KeyBTC is the name of this ransomware as it appends the extension .keybtc@inbox_com to encrypted files. To remove the ransomware and see if you can restore your files, you should carefully read this article throughout.

Threat Summary

Short DescriptionThe ransomware encrypts files with RSA/PGP algorithms and asks for payment via email.
SymptomsSpecific file types are encrypted. Two files are created on the user’s desktop – File1.bin and File2.bin along with a .txt file with instructions for paying the ransom.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by KeyBTC


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss KeyBTC.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

KeyBTC Ransomware – Distribution Ways

KeyBTC ransomware is distributed with the help of spam emails that look as legitimate postal or shipment notifications. The emails themselves cannot infect your PC alone, but have file attachments with the ransomware inside. The attachments are .Zip file type archives. The contents of those archives are JavaScript files disguised as normal Word documents.

It is unknown if exploit kits or social media are used to further help in the distribution of this ransomware, but it is a possibility. File sharing services might contain such files as well. If something looks suspicious and you are not one hundred percent sure of its origin, do not open it. At least that is the general rule of thumb.

KeyBTC Ransomware – Description

The KeyBTC malware is a known ransomware. The legend goes that it used to target only Russian speaking countries. Alas, in late 2014 it began infecting users worldwide. Still spiraling to this day, it is not one of the most dangerous ransomware types, but it is quite effective. KeyBTC nowadays might have evolved and try making entries in the Windows Registry as other ransomware. This maneuver is done to keep malware’s persistence while loading with each boot of the Windows OS.

What makes this ransomware effective and still viable to this day is that it encrypts important files, which are still the most popular types of files used to store personal information. Another thing is that everything but the public encryption key is not sent anywhere and only known by the malware maker.

KeyBTC will put all encrypted files inside two other files which are stored in the user’s computer. They are given these simple names:

  • File1.bin
  • File2.bin

A third file is created, containing the ransomware instructions. The file is named READ with capital letters. You can see its contents here:


The instructions state:


All your documents, photos, databases and other important personal files were encrypted using strong RSA-1024 algorithm with a unique key. If you want to restore your files please follow the instructions:
1. Send email to, with the following files in attachment:
– FILE1.BIN and FILE2.BIN files (check your desktop and local disks to find these files or just use Windows Search.
– One of your encrypted personal file for test decryption. Supported types: DOC/DOCX, JPG/JPEG, PDF. Maximum file size: 3 Mb.
2. Wait for email from us containing:
– Your decrypted file, proving that we can really help you.
– Decryption price and payment details.
3. Make payment.
4. Receive decryption key and detailed instructions how to decrypt your files.
– You must contact us in 24 hours, unless the price will rise.
– Nobody can help you except us. It is useless to reinstall Windows, rename files, etc.
– Your files will be decrypted as quick as you contact us and make payment.

If you have any question, please feel free to ask.

Contact email:

Paying up is strongly unadvised. You might be unable to unlock your files in the end, but also, might not be contacted back by the cyber crooks at all. That could serve as an inspiration to them to make the ransomware tougher.

The KeyBTC ransomware is really specific as it scans infected computers for only 17 file types. Nonetheless, they are still the most widely used file types used by Windows users on a global scale. The encryption is a combination of PGP and RSA using open source and free software to achieve it. For the time being, this is the known list of extensions which are encrypted:

→.pdf, .rtf, .accdb, .slddrw, .zip, .rar, .max, .jpg, .mdb, .xls, .xlsx, .doc, .docx, .cdr, .dwg, .1cd, .cd

After the encryption, all files have the extension .keybtc@inbox_com, which is also the email you are instructed to contact the ransomware creators. Shadow Volume Copies might not be of much use here, as files are not only encrypted but put into the .bin files mentioned earlier and not deleted as other ransomware types tend to do.

Remove KeyBTC Ransomware and Restore .keybtc@inbox_com Encrypted Files

If your PC is infected by the KeyBTC ransomware, you should have a bit experience with removing malware. You should consider removing the malware as it might reach other files if you connect to a network or an external storage device. The recommended course of action is for you to remove the ransomware by following the step-by-step instructions provided down here.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share