A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.

Not much is known regarding how this ransomware is being distributed other than what people have posted in the BleepingComputer forums. According to some of the posts, the ransomware appeared after the user downloaded and installed cracks such as KMSpico. Other reports state that it appeared on its own and that the victim did not install anything.

Based on submissions to ID Ransomware there has been increased activity for this variant since the 8th with submissions from over 20 countries.

You can see this uptick in submissions on ID Ransomware in the graph below.

ID Ransomware submissions
ID Ransomware submissions

It should be noted that this ransomware, even though the names sound similar, has no relation to the popular KeePass password management utility.

What happens when KeyPass encrypts a computer

When a user become infected with the KeyPass ransomware, their files will be encrypted and then have the .KEYPASS extension appended to them.  For example, a file called test.jpg would be encrypted and renamed to test.jpg.KEYPASS.

The ransomware will also create ransom notes named !!!KEYPASS_DECRYPTION_INFO!!!.txt that contain instructions to email either keypass@bitmessage.ch or keypass@india.com for payment instructions.

KeyPass Ransom Note
KeyPass Ransom Note

Unfortunately, not much more is known about this ransomware. If you are infected and want to discuss the ransomware or need help, you can use the dedicated KeyPass Ransomware Help & Support Topic.

How to protect yourself from the KeyPass Ransomware

As it is not known how the KeyPass Ransomware is distributed, to protect yourself you should follow these general guidelines. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. 

You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not download cracks as they are major source of infections.
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.
  • BACKUP!

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.

Related Articles:

The Week in Ransomware - August 10th 2018 - BitPaymer & KeyPass

AZORult Trojan Serving Aurora Ransomware by MalActor Oktropys

The Week in Ransomware - August 17th 2018 - Princess Evolution & Dharma

Princess Evolution Ransomware is a RaaS With a Slick Payment Site

Former Microsoft Engineer Gets 18 Months in Prison for Role in Ransomware Scheme

IOCs

Files:

!!!KEYPASS_DECRYPTION_INFO!!!.txt

Ransom Note text:

Attention! 

All your files, documents, photos, databases and other important files are encrypted and have the extension: .KEYPASS

The only method of recovering files is to purchase an decrypt software and unique private key.

After purchase you will start decrypt software, enter your unique private key and it will decrypt all your data.

Only we can give you this key and only we can recover your files.

You need to contact us by e-mail keypass@bitmessage.ch send us your personal ID and wait for further instructions.

For you to be sure, that we can decrypt your files - you can send us a 1-3 any not very big encrypted files and we will send you back it in a original form FREE.

Price for decryption $300. 

This price avaliable if you contact us first 72 hours.

E-mail address to contact us:

keypass@bitmessage.ch



Reserve e-mail address to contact us:

keypass@india.com



Your personal id:
[id]