New Variant of KeyPass Ransomware Discovered

A new variant of the KeyPass ransomware has been gaining traction in August and is using new techniques like manual control to customize its encryption process, researchers said Monday.

Researchers at Kaspersky Lab who posted about the trojan said that it is being propagated by means of fake installers that download the ransomware module.

“According to our statistics, the criminals have begun spreading the ransomware only a few days ago,” Orkhan Mamedov, malware analyst at Kaspersky Lab, told Threatpost today. “The information contained in the executable PE header confirms the assumption that the trojan was created recently.”

The trojan sample discovered was written in C++ and compiled in MS Visual studio, researchers said. While they wouldn’t go into any further details about possible targets, research shows that samples of the malware have been mainly found in Brazil and Vietnam.

Once on the victim’s computer after being distributed via fake installers, the trojan copies its executable to the local app data folder (%LocalAppData%) and launches it. It then deletes itself from the original location.

Following that, the trojan generates several copies of its own process to pass along the encryption key and victim ID as command line arguments.

“KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension,” researchers said. “It skips files located in a number of directories, the paths to which are hardcoded into the sample.”

Each of these encrypted files gets an additional extension: “.KEYPASS,” as well as ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” that are saved in each processed directory.

“A lot of ransomware write the amount of ransom right in the ransom note left on the infected machine,” said Mamedov. “The KeyPass Trojan is not an exception. The text of the note is stored inside the malware and the amount of $300 is specified there.”

If the C&C is inaccessible – or if the infected machine is not connected to the internet or the server is down – the trojan can use a hardcoded key and ID. That means that in the case of offline encryption it won’t be difficult to decrypt the victim’s files, researchers said.

Manual Control

The trojan contains a form that is hidden by default – but also contains manual control, meaning its form  can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the trojan intend to use it in manual attacks.

While this feature does not mean much for the victim, it is just a characteristic that researchers found notable to describe as it is uncommon among other ransomware families, Mamedov told Threatpost.

This form allows the attacker to customize the encryption process by changing such parameters as, encryption key, name of ransom note, text of ransom note, victim ID, extension of the encrypted files, and list of paths to be excluded from the encryption. Due to the ability of manual encryption, the criminal can easily change the price of the decryption, Mamedov said.

“The malware operates automatically by default,” he said. “However, if the criminal was somehow able to gain the remote control to the infected system, the Trojan allows the criminal to modify the default encryption parameters.”

Users can protect themselves from the KeyPass ransomware by always having backups, installing software only from the trusted sources, using only strong passwords for RDP access and using a reliable security solution.