Test subject – KeyPass ransomware
Emerged last month, KeyPass is one of the first ransomware who managed to get noticed not just because of a significant distribution campaign, but also because of its new features. It was spotted in more than 20 countries around the world and has attacked a few hundred so far. However, its peculiarities are more interesting, as Keypass can be manually controlled, its encryption process can be customized by opening its UI and modifying its parameters, such as encryption key, ransom note, victim ID, extensions used and list of excluded paths. This is an indication that the criminals intend to use this malware in targeted, manually executed attacks. Most probably, businesses will be the targets of choice for these criminals, hacking into their infrastructure and manually launching customized attacks.
KeyPass ransomware test facts
When executed, KeyPass will first copy itself to %LocalAppData%, spawn its process several times, passing the encryption key and victim ID as parameters. Then, it will drop a text file in all attacked folders, containing the ransom note, including network drives and shares. Then, it will encrypt the first 5MB of data in each file, speeding up the process. It’s not picky about file extensions either, as it will completely disregard them, encrypting everything and appending the “.keypass” extension. The encryption key is received from the command and control server if this is accessible. It can be intercepted and used later to decrypt if traffic is captured during the initial phase of the attack. If the C&C server is inaccessible, KeyPass will use hardcoded keys and IDs to continue the encryption process. However, free decrypting tools could be developed and used in this case to recover the files.
The cybercriminals demand $300 for the recovery of files, without specifying any cryptocurrency. These low sums we see lately are likely to be paid by desperate victims; however, we will never recommend paying. We also discourage any attempt to contact the attackers, as passed information can be used against the victims.
These features are new even for recently released ransomware and points to a future where businesses are in great danger unless dedicated solutions are implemented.
KeyPass ransomware test results
TEMASOFT Ranstop detects KeyPass ransomware easily once it starts encrypting files. Upon detection, the user is alerted, and the ransomware process is killed and quarantined. The affected documents are automatically recovered so that the user doesn’t lose her important documents.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.