The curious case of the Domino Ransomware, a Windows Crack, and a Cow

Share this…

The Domino Ransomware is a new infection discovered by Daniel Gallagher and Michael Gillespie that is based off of the Hidden Tear open-source ransomware project.  What makes this variant interesting is that it pretends to be the KMSPico Windows activation crack that will actually install KMSpico, but also encrypt a victim’s files as an added bonus. It should be noted that this does not appear to be the official KMSpico program, but rather a modified installer.

KMSpico Installer
KMSpico Installer

When the KMSpico installer is executed, it will extract a random named file into the %Temp% folder. This file is then executed and will extract a password-protected zip file called The password to this file is abc123456 and contains two files; a help.exe and a HelloWorld.exe file.  The help.exe is the encryptor, which will encrypted files and add the .domino extension to them, while the HelloWorld will display a ransom note.

This ransom note is titled HelloWorld! and contains instructions on how to pay the ransom and contact the developer at Included in the ransom note is a Game of Throne’s reference of  “Winter Is Coming!”, but even better there is an ascii cow!

Ransom Note

Overall, there is nothing of particular interest about this ransomware other then that its distributed as KMSpico, and even better, contains a ascii cow! I mean who doesn’t like cows?

It’s Hidden Tear, so Michael’s Hidden Tear Brute Forcer will be able to brute force the decryption key so a victim can get their files back.