Keygen: Real-life threat protection for merchants


Keygens or key generator files can be used to produce keys or serial numbers to authenticate an application. These types of files are usually infected with some sort of virus as they come from questionable sources. This month our SOC (Service Operations Centre) team dealt with 6,843 automatic security actions and 187 SOC team interventions. This specific keygen file we’ll look at was one of the top 5 infections we dealt with this month.

Note: An automatic security action is when our security tools directly deal with the malicious file by detecting, blocking or quarantining the file. SOC team interventions are when our SOC team reviews the quarantined files and works with the merchant to deal with suspect files.

On this call, our agent speaks to a merchant who has downloaded an application that contains a keygen, unknowingly putting their computer at risk from a ransomware attack. The merchant is subscribed to our Proactive Data Security (PDS) service; this means they will receive real-time threat protection from the security tools deployed and when a threat is detected, the SOC team reach to the merchant and advise on the situation.

What is a keygen?

When anyone downloads a piece of software (a programme, application, or game) onto a device, they are often asked to activate or register the software. Normally a product activation key can be found physically on the software box or sent by email. Sometimes activation of a programme can be done without the user activating with a key; this can be done through specific coding of the programme.

What happens if the programme is from an unlicensed or pirated source? This is where keygens are used. It essentially allows the user to use a programme without paying. It does this by trying a few hacks:

  • They can use different password hacks to generate a key that will work for the specific programme.

  • Some Keygens hack the programme itself to find the database of correct keys, providing you with one of many to activate the software.

  • Keygen programmes can even go as far as hacking the software itself to input its own new key that will be accepted.

By using one of these hacks, a keygen will give you full access to an unlicensed product. In our merchant’s case, the infected file was 2017 Release 1.exe. Our premium antivirus and containment software quarantined this file.

Note: To quarantine a file is to place it into a secure location on the device where it has no interaction with any other file or location on the host device. Our software provides its own quarantine location.

2017 Release 1.exe

This specific Keygen would be used on Windows devices to licence Microsoft applications. These applications could be the Microsoft Office Suite or even a version of Windows. Small businesses will often use unlicensed software to cost cut without knowing the dangers of using pirated software. In our merchant’s case, 2017 Release 1.exe was infected with a trojan called Trojan.Bulz.

Example of a product activation screen that a keygen can be used on.
A Keygen can be used to bypass a product activation screen like this one. Source.


Trojan’s will disguise themselves as legitimate software or attach themselves to a seemingly legitimate piece of software. In this case, Trojan.Bulz was attached to a file that promised to install an unpaid version of a Microsoft product.

Trojan.Bulz, upon investigation from the SOC team, contained a piece of ransomware. This variety of malware can have serious ramifications on businesses of any size. The impact it can have on small to medium-sized businesses can be crippling.

Note: Ransomware will encrypt your data and ask for a ransom (monetary or informational) to be paid for the return of data.

What’s the cost?

Having unlicensed, illegitimate copies of software can be very harmful. It can lead to several different issues for the user:

  • As they often come from questionable sources, they will often be targeted by cyber-criminals for infection. Leading to further attacks. In this case, if our antivirus protection had not quarantined the file, the merchant would have been subject to a ransomware attack.

  • A potential loss in business functionality would be possible. As this software did not come from the correct vendor, like Microsoft, the merchant would not have received the support that is available when you are using a properly licensed product. If the software stopped working, the merchant might have lost access to essential business documents.

  • Software will not receive important patching from the vendor. Having unpatched or out of date software will leave the entire device and business at risk. Unpatched software will create vulnerabilities that cybercriminals can use to gain access to your device. From here, they can perform any number of attacks they desire on a device.

As was stated before, this file was infected with a piece of Ransomware. Ransomware attacks can have monetary and reputational effects on a business. It can do this by holding certain files ransom in exchange for money or information. A large monetary ransom can seriously damage a small business and go as far as putting the company out of business. If the cyber criminal is demanding information this could damage the businesses reputation. A common ransom is to obtain databases containing customer phone numbers and email addresses. The hackers would then use this information to perform large scale phishing or vishing attacks. As a business, it would be the owner’s duty to inform customers of this unfortunate data theft, negatively impacting reputation.

Note: Phishing, a social engineering attack that uses texts or emails to trick a person into believing they are providing information to a reputable business. Vishing or voice phishing is similar but uses phone calls and voice mails to obtain this information.

Going forward

A key aspect of our calls with merchants is to ‘future proof’ them, educating business owners on the dangers of having these types of files and malware present on a computer.

  • Here our agent explains that from now on, any potentially harmful files will be quarantined and explains the process. However, to completely steer clear of these files, we take steps to inform the merchant how to avoid these types of files in the future.

  • Our agent informed the merchant that they should only obtain legitimate software from legitimate vendors. The cost of the software far outweighs the potential cost a breach or attack could have on a business

  • Our agent explained that legitimate software comes with many benefits that can help a business and make them more secure. Patching and technical support are usually available for software purchased from a vendor like Microsoft.

Issue Encountered

Action Taken by SOC


This merchant had attempted to download and install an illegitimate copy of a Microsoft product.

Unfortunately, this software and the keygen it came packaged with was infected with a piece of malware call Trojan.Bulz, a trojan.

If gone unnoticed, this could have led to a ransomware attack on this small business.

The keygen was picked up by our antivirus and quarantined immediately.

Once our SOC team received this notification, a call was made to inform the merchant of this action. On the call, our agent explained what this file was, why it was a risk, and finished up by future-proofing the merchant.

With the SOC teams’ intervention, this merchant no longer has an infected file on their device.

Going forward, the merchant will know the dangers of having illegitimate software on their device. They also learned the benefits of having legitimate, licensed software installed.

These pieces of malware are just a small percentage of the 2,550 unique pieces of malware our security tools and SOC team have successfully identified this month. On top of this, another 332 merchants have decided to opt into the excellent real-time virus protection service we offer.

If you missed our last piece on the SOC team, we discussed how we helped a merchant remove adware from their device. You can read this here.

Like this Article?

Subscribe to receive more tips & news about Cyber Security, Compliance and a lot more!

  • Sysnet Global Solutions will use the information you provide on this form to be in touch with you regarding non-promotional as well as promotional material by email and phone. If you agree to same, then please select the ‘I consent’ box after reading the terms and conditions listed below in relation to consent. You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, update your preferences for communications, content etc. by clicking on the update my preferences button in any email we send you or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms. We use Pardot as our marketing automation platform. By clicking below to submit this form, you acknowledge or agree that the information you provide will be transferred to Pardot for processing in accordance with their Privacy Policy and Terms