New Variant of KeyPass Ransomware Discovered
If the infected machine is not connected to the internet or the server is down – the trojan can use a hardcoded key and ID. That means that in the case of offline encryption it won’t be difficult to decrypt the victim’s files.
The trojan contains a form that is hidden by default – but also contains manual control, meaning its form can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the trojan intend to use it in manual attacks.
While this feature does not mean much for the victim, it is just a characteristic that researchers found notable to describe as it is uncommon among other ransomware families.
This form allows the attacker to customise the encryption process by changing such parameters as, encryption key, name of ransom note, text of ransom note, victim ID, extension of the encrypted files, and list of paths to be excluded from the encryption. Due to the ability of manual encryption, the criminal can easily change the price of the decryption. The malware operates automatically by default. However, if the criminal was somehow able to gain the remote control to the infected system, the Trojan allows the criminal to modify the default encryption parameters.
Users can protect themselves from the KeyPass ransomware by always having backups, installing software only from the trusted sources, using only strong passwords for RDP access and using a reliable security solution. You should also not have any remote desktop services connected to the internet, and it is recommended to use a VPN to avoid ransomware attacks like KeyPass. If you do not have a good anti-malware program, it is recommended to invest in professional software to keep yourself safe. Do not download pirated software or open attachments without scanning them as added measures of protection. It is also recommended to update your OS and software regularly to ensure software vulnerability patches are delivered on time.
For more information, kindly contact the VpsCity team as per our Contact Us page (https://vpscity.co.nz/contact-us).
A new variant of the KeyPass ransomware has been gaining traction in August and is using new techniques like manual control to customise its encryption process. It is being propagated by means of fake installers that download the ransomware module. The trojan sample discovered was written in C++ and compiled in MS Visual studio.
Once on the victim’s computer after being distributed via fake installers, the trojan copies its executable to the local app data folder (%LocalAppData%) and launches it. It then deletes itself from the original location. Following that, the trojan generates several copies of its own process to pass along the encryption key and victim ID as command line arguments. KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample. Each of these encrypted files gets an additional extension: “.KEYPASS,” as well as ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” that are saved in each processed directory.
A lot of ransomware write the amount of ransom right in the ransom note left on the infected machine. The KeyPass Trojan is not an exception. The text of the note is stored inside the malware and the amount is specified there.