KeyPass: Ravenous ransomware

KeyPass ransomware is infecting computers worldwide, encrypting almost everything in its path. And it all starts with downloading a seemingly innocuous installer.

We recently wrote a post about how a downloaded book or mod for a game can be accompanied by something nasty. Over the past few days, we’ve been observing a fresh case study in the shape of KeyPass ransomware, which is distributed in exactly that manner. You download a seemingly harmless installer, which then installs the malware on your computer.

KeyPass is a very indiscriminate piece of ransomware. It infects computers around the world, with no political or racial preferences. In just 36 hours — from the evening of August 8 till August 10 — the ransomware cropped up in more than 20 countries. At the time of this writing, Brazil and Vietnam were the hardest hit, but it claimed victims in Europe and Africa, too, and the malware continues to conquer the globe.

Take no prisoners, leave no files unencrypted

KeyPass is also undiscerning in its choice of hostage files. Many ransomware species hunt documents with specific extensions, but this one bypasses only a few folders. All other content on the computer is transformed into mumbo jumbo with the extension .keypass. It doesn’t actually encrypt files in their entirety, just the first 5MB of each, but that’s little consolation.

In “processed” directories, the malware leaves a note in TXT format in which its creators demand (in rather bad English) that victims purchase a program and an individual key for file recovery. To convince victims that they won’t just be wasting their money, they are invited to send 1–3 files for the cybercriminals to decrypt free of charge.

The attackers demand $300 to return the files, with the caveat that this price is valid only for the first 72 hours after infection. For detailed instructions on how to recover your documents, you are supposed to contact the scammers at one of two e-mail addresses and send them your ID as specified in the note. However, we recommend not paying the ransom.

A peculiar feature of KeyPass is that if for some reason the computer is not connected to the Internet when the malware starts working, the malware cannot retrieve the personal encryption key from the C&C server. In that case, it uses a hard-coded key, meaning that the files can be decrypted without any trouble; the key is already at hand. Unfortunately, in other cases, you won’t get off so lightly: Despite the fairly simple implementation, the cybercriminals made no errors with the encryption.

In the cases we know about, the malware acted automatically, but its creators provided a manual control option as well. They are clearly reckoning KeyPass will be distributed manually — that is, they plan to use it for targeted attacks. If the cybercriminals succeed in connecting to the victim’s computer remotely and uploading the ransomware to it, pressing a specific key will bring up a form in which they can change the encryption settings, including the list of folders that KeyPass ignores, plus the text of the ransom note and the private key.

How to protect your computer from KeyPass ransomware

A tool for decrypting files hit by KeyPass has yet to be developed, so the only way to keep your data safe is to proactively prevent infection. Well, it’s always better to be safe than sorry; dealing with the consequences of carelessness takes far more time and effort than avoiding them to begin with. Therefore, we recommend a few simple measures, which are just as effective for KeyPass, to protect against all ransomware:

  • Never download unknown programs from dubious sites or click on links if you have the slightest suspicion. This will help you steer clear of most malware stalking the Web.
  • Back up all important files. Check out this post for everything you need to know about backing up.
  • Use a reliable security solution that identifies and blocks suspicious programs before they can harm your computer. Kaspersky Lab’s security solutions, for example, feature an antiransomware module.