Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

KeyPass Ransomware Help & Support Topic (.KEYPASS)


  • Please log in to reply
26 replies to this topic

#1 ganesya

ganesya

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 09 August 2018 - 05:38 AM

Hi, this morning my laptop show so many ransom file & message in .txt file. I try some antivirus to delete that file but not working, and I try find in ID Ransomware cannot find .KEYPASS.

 

please advice what should I do?

 

many thank

 

Attention! 
 
All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS
 
The only method of recovering files is to purchase an decrypt software and unique private key.
 
After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.
 
Only we can give you this key and only we can recover your files.
 
You need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.
 
For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.
 
Price for decryption $300. 
 
This price avaliable if you contact us first 72 hours.
 
 
 
 
 
 
 
E-mail address to contact us:
 
keypass@bitmessage.ch
 
 
 
Reserve e-mail address to contact us:
 
keypass@india.com
 
 
 
Your personal id:
3oea4X887i6AfaMLvQKS3QBoQIhKTsxmMaigPGfr
 


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:12 PM

Posted 09 August 2018 - 07:28 AM

If ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you in your next reply for Demonslay335 to manually inspect the files.

Example screenshot:
2016-07-01_0936.png

Samples of encrypted files, ransom notes, any related files or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button...it's best to zip (compress) all files before sharing. Doing that will be helpful with analyzing and investigating by our crypto malware experts.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 PM

Posted 09 August 2018 - 08:28 AM

My alerts got flooded this morning with submissions from around the world on this one. I've set out a hunt to identify it or find a malware sample.

 

https://twitter.com/demonslay335/status/1027546863883505664

 

It would be most helpful if you can find the malware executable and provide that. Also information on how you got infected may help (downloaded something, opened an attachment, RDP hacked, etc.).


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 ganesya

ganesya
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 10 August 2018 - 12:00 AM

Hi @Demonslay335 sorry I cant provide malware file, because I use safe mode to delete the file that I suspect is dangerous.

 

I think the first problem when I download KMS Pico, after that so many application auto-installed in my laptop, but I already uninstall all of that.

857074c01c3c4ba0075fed2acbc571227e8d0027 maybe this ID can help



#5 die11350

die11350

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 August 2018 - 01:55 AM

i have the same problem. I downloaded files from that webside and got infected.

httpx://cracksfiles.com/2018/06/nch-videopad-video-editor-professional-crack-full-version-free/

#6 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:12 AM

Posted 10 August 2018 - 05:41 AM

Probably, this is a new variant of STOP Ransomware

 

It does self-cleaning after encryption. Since December 2017, we have not been able to find the his exe-file.
Yes, it is known that it spreads through the sites of the hacked, patched, repackaged software. 
 
It's sad that search engines contribute to this spread and do not block such malicious sites.
 
 
ganesya
die11350
From the site you indicated, several malicious programs that could encrypt files in parallel or independently from each other could be downloaded. 
You would be very helpful if you told us which files and which links were downloaded.
I can single out a machine for direct or virtual tests.

Edited by Amigo-A, 10 August 2018 - 06:08 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 kacipo

kacipo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 August 2018 - 05:49 AM

hi, i've dealt with this problem, since yesterday. and there's no information whatsoever, about keypass in the website. 
So, in my case, we have several computers, connected via network. we don't use server.

 

The infection, spread suddenly, yesterday, we've determined the source of the infection, from one of computer in the network.

When the infection started, he didn't install anything, or browse any malicious website (Although I Cannot be 100% sure of this).

 

Anyway, in his computer, all the file, turns into *.CRAB, in the explorer, it stated KEYPASS File.

His computer is screwed, all of his files turned into .CRAB

 

Then, it also infect several other computers, but in other computers, the file turned into *.KEYPASS not *.CRAB.

So, CMIIW, probably this is another variant of .CRAB?

(Unfortunately, I cannot send you the original file, since, we don't know what cause it)

 

So, back to the story. after he realized that there's infection in his computer, he plugged his network cable out.

 

Since that moment, looks like the infection has stopped spreading.

How do I know?

Like, there's a folder, containing 10 file, only 3 was encypted, and 7 is still in it's original state.

 

My questions is, 

it's been 2 days, and that folder is still in that state. with 3 encrypted, and 7 still normal.

Has the infection really stop? or it's still lurking somewhere in the PC/ network?
 

Since, not all the file are encrypted, how do I safeguard it? Will back it up in an external harddisk is enough?

Please advice.

Thanks



#8 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:12 AM

Posted 10 August 2018 - 05:56 AM

kacipo
 
From the any malware site several malicious programs that could encrypt files in parallel or independently from each other could be downloaded.
 
You would be very helpful if you told us which files and from which links were downloaded.
I can single out a machine for direct or virtual tests.

Edited by Amigo-A, 10 August 2018 - 06:04 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 kacipo

kacipo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 August 2018 - 06:07 AM

 

kacipo
 
From the any malware site several malicious programs that could encrypt files in parallel or independently from each other could be downloaded.
 
You would be very helpful if you told us which files and from which links were downloaded.
I can single out a machine for direct or virtual tests.

 

that's the problem. I ask the guy, and he told me that he wasn't browsing anything/ installing anything. I'll try to ask him again, although there's no telling whether he's saying the truth, or he's hiding something.



#10 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:12 AM

Posted 10 August 2018 - 06:13 AM

kacipo

I must say that malicious programs can use the browser for secret installation. You can get the malware even in the standby mode (while the timer is spinning). You need to set the exact location downloaded files and position in the download list (there I see four links).
You can told his to reproduce the actions sitting at the computer, I will repeat them and perhaps, we will catch the harmful file in the same way.

Edited by Amigo-A, 10 August 2018 - 06:14 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#11 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 PM

Posted 10 August 2018 - 08:23 AM

I've seen many submissions of GandCrab and this variant of KEYPASS together, so seems these victims are hit by two ransomwares at once. No way to decrypt, you'll have to restore from backups.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#12 kacipo

kacipo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:12 AM

Posted 10 August 2018 - 08:55 AM

I've seen many submissions of GandCrab and this variant of KEYPASS together, so seems these victims are hit by two ransomwares at once. No way to decrypt, you'll have to restore from backups.

thanks for the response. so I got 1 computer, which is the source.

what do you recommend we do with this computer? is there a way to wipe clean the harddrive? or is it a lost cause?

 

and I have other 2 computers, which only several folder was affected.

are those computers compromised also, or it's save to use it?

 

Only several folder was affected, and seems like the infection has stopped.

 

thanks



#13 zedude

zedude

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 13 August 2018 - 08:54 AM

Hello,

 

Anyone could provide the full malicious link so I can try to get the malware file and do an analyse ?

 

Thanks

regards



#14 Amigo-A

Amigo-A

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:12 AM

Posted 13 August 2018 - 09:35 AM

zedude

 

The virus is located at the link in post #5 this topic and on others pages this site.
For me, this does not work, is need another country that the virus launched an attack.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#15 zedude

zedude

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:12 PM

Posted 13 August 2018 - 09:44 AM

Hello

 

thanks for the update.

Don't bother, I get the file : analysing it...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users