In the last few days, some of the anti-ransomware systems have detected a new variant of malware – KeyPass ransomware and others have also noticed that this ransomware began to actively spread in August.
According to reports, the malware is propagated by means of fake installers or fake software activation tools, fake software update tools, spam emails with infectious/malicious attachments, unofficial software download sources (free tools download sites, P2P networks) and Trojans. Once these are open/run, it download & installs the ransomware module and provide backdoor to infiltrate the network.
KEYPASS is a high-risk ransomware-type virus that stealthily infiltrates the system and encrypts most of stored data. It is suspected that this malware to be an updated variant of another ransomware called STOP. While encrypting, KEYPASS appends filenames with “.KEYPASS” extension (e.g., “sample.jpg” is renamed to “sample.jpg.KEYPASS”). Once encrypted, data instantly becomes unusable. Following successful encryption, KEYPASS generates a text file (“!!!KEYPASS_DECRYPTION_INFO!!!.txt”) and drops its copy in every existing folder.
The Trojan sample is written in C++ and compiled in MS Visual Studio. It was developed using the libraries MFC, Boost and Crypto++. The PE header contains a recent compilation date.
When started on the victim’s computer, the Trojan copies its executable to %LocalAppData% and launches it. It then deletes itself from the original location.
Following that, it spawns several copies of its own process, passing the encryption key and victim ID as command line arguments.
KeyPass enumerates local drives and network shares accessible from the infected machine and searches for all files, regardless of their extension. It skips files located in a number of directories, the paths to which are hardcoded into the sample.
Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory.
The developers of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the beginning of each file.
Soon after launch, KeyPass connects to its command and control (C&C) server and receives the encryption key and the infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON.
If the C&C is inaccessible (e.g. if the infected machine is not connected to the internet or the server is down), the Trojan uses a hardcoded key and ID, which means that in the case of offline encryption the decryption of the victim’s files will be trivial.
The most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This capability might be an indication that the criminals behind the Trojan intend to use it in manual attacks.
This form allows the attacker to customize the encryption process by changing such parameters as:
- Encryption key
- Name of ransom note
- Text of ransom note
- Victim ID
- Extension of the encrypted files
- List of paths to be excluded from the encryption
Screenshot of files encrypted by KEYPASS (“.KEYPASS” extension):
How to protect yourself from ransomware infections:
Everyone should know that lack of knowledge and reckless behavior are the main reasons for system infections – caution is the key to its safety. Therefore, paying close attention when browsing the Internet and downloading/installing software is a must. It is highly recommend to think twice before opening email attachments. Irrelevant files and those received from suspicious email addresses should never be opened. Aside from that, users should download software only from official sources, using direct download links. Third party downloaders/installers often include rogue apps, which is why such tools shouldn’t be used. It is also important to keep installed software up-to-date. However, this should be achieved through implemented functions or tools provided by the official developers only. On top of all that, having a reputable anti-virus/anti-spyware/anti-malware suite installed and running is paramount. If your computer is already infected with KEYPASS, it is recommended you run a scan.
Following is the key to survive and recover from any ransomware attack
- Always backup your system and critical data.
- Keep your system patched/updated regularly for known vulnerabilities.
- Keep all application software patched/updated regularly.
- Install/Setup Anti-virus/Anti-Spyware/Anti-Malware/IDS-IPS on the system and enable full protection at all times.
- Do not install freeware/spyware/cracked software/keygens etc. at any cost.
- Ensure your system is protected fully before you connect to any server remotely as this will spread to all connected systems.
- It is always recommended to create multiple system restore points on desktop and create snapshots or checkpoints on servers as this will help in recovering from such attacks.
- Any suspicious activity seen on the system should be reported to the IT / Security team within the organization.
- All internet access from within the office premises should go through a perimeter security device that scans and protects for inbound and outbound access.
- Never disable the Anti-virus/Anti-spyware/Anti-malware/Intrusion detection-prevention, system protection on user desktops, servers and perimeter devices.