New KeyPass Ransomware Campaign Infects Users in Over 20 Countries

August 17, 2018


A new ransomware variation – known as KeyPass ransomware – is being utilized in a fresh campaign that has seen several sufferers created throughout the world. Although Vietnam and Brazil have taken the burden of the attacks, there have been sufferers in over 20 countries with the list rising daily. KeyPass ransomware is written in C++ and is a variation of STOP ransomware.

Presently it is not identified how the KeyPass ransomware attacks are happening. Some safety scientists indicate the ransomware is being bundled with bogus software installers and bogus varieties of the KMSpico cracking tool, even though that doesn’t seem to be the situation with all infections. Other methods of dispersal are therefore doubted including RDP attacks, drive-by-downloads, and spam electronic mail.

When downloaded, the payload is copied to the %LocalAppData% file and the original file is erased. Contrary to several ransomware variations, KeyPass ransomware counts all local drives and network shares and examines for all files on the infected appliance, only omitting specific file directories which are hardcoded in the ransomware. When encoded, the files are provided the KEYPASS file extension.

Scientists at Kaspersky Lab have examined the ransomware and inform that it uses “AES-256 in CFB mode with zero IV and the same 32-byte key for all records,” with a maximum of 0x500000 bytes of data encoded from the start of each file. Communication between KeyPass ransomware and its C2 server is in JSON through simple HTTP. Encryption is still possible even though the C2 server can’t be communicated. In such instances, a hardcoded key and ID is used.

The authors ask a ransom of $300 to provide the key to open the encoded records. Contact should be made within 72 hours of infection to ensure that price. The attackers offer to decrypt 1-3 small records free of cost as a demo that they have the capability to open the encryption.

Kaspersky Lab scientists notice that the creators of KeyPass ransomware have incorporated the functionality to take manual control and tailor the encryption procedure. This indicates the ransomware might be used in attacks after access to a computer has been gained. This would let the attackers, among other things, to modify the ransom amount.

There is no free decryptor. Retrieval without paying the ransom is only probable by reestablishing encrypted files from standbys.

Defending against attacks needs standard best practices to be accepted including setting robust, exclusive passwords for RDP, making certain RDP can’t be retrieved through the internet, and using rate restricting to avoid brute force attacks. Caution must be exercised when opening electronic mails, an effective spam and web sieving solution must be installed, and a strong antivirus solution must be in place. Obviously, regular backups must be carried out with at least one copy stowed on an air-gapped appliance.