August 17, 2018
A new ransomware variation – known as KeyPass ransomware – is being used in a latest campaign that has seen a lot of sufferers created throughout the world. Although Vietnam and Brazil have taken the impact of the attacks, there have been sufferers in over 20 countries with the list increasing by the day. KeyPass ransomware is written in C++ and is a variation of STOP ransomware.
Presently it’s not known how the KeyPass ransomware attacks are happening. Some safety scientists propose the ransomware is being bundled with bogus software installers and bogus varieties of the KMSpico cracking tool, even though that doesn’t seem to be the case with all infections. Other ways of dispersal are therefore doubted including RDP attacks, drive-by-downloads, and spam electronic mail.
As soon as downloaded, the payload is copied to the %LocalAppData% folder and the original file is erased. Contrary to several ransomware variations, KeyPass ransomware counts all local drives and network shares and hunts for all files on the infected appliance, only avoiding specific file directories which are hardcoded in the ransomware. As soon as encrypted, the files are provided the KEYPASS file extension.
Scientists at Kaspersky Lab have examined the ransomware and inform that it uses “AES-256 in CFB mode with zero IV and the same 32-byte key for all files,” with a maximum of 0x500000 bytes of data encrypted from the start of each file. Interaction between KeyPass ransomware and its C2 server is in JSON through simple HTTP. Encryption is still possible even though the C2 server can’t be contacted. In such situations, a hardcoded key and ID is used.
The authors require a ransom of $300 to supply the key to unlock the encrypted files. Contact should be made within 72 hours of infection to pledge that price. The attackers offer to decrypt 1-3 small files without charge as a proof that they have the ability to unlock the encryption.
Kaspersky Lab scientists note that the creators of KeyPass ransomware have incorporated the functionality to take manual control and tailor the encryption procedure. This indicates the ransomware might be used in attacks after access to a computer has been gained. This would let the attackers, among other things, to modify the ransom amount.
There is no free decryptor. Retrieval without paying the ransom is only possible by restoring encrypted files from standbys.
Safeguarding against attacks needs standard best practices to be adopted including setting strong, exclusive passwords for RDP, making certain RDP can’t be retrieved through the internet, and using rate limiting to avoid brute force attacks. Caution must be exercised when opening electronic mails, an effective spam and web filtering solution must be installed, and a powerful antivirus solution must be in place. Obviously, regular backups must be performed with at least one copy stored on an air-gapped appliance.