Kaspersky Lab detects new variant of ransomware called KeyPass that uses fake installers

(Image from Pixabay)

Just when people thought ransomware is losing its appeal among cybercriminals, SecureList, Kaspersky Lab’s cyber threat research and reports, has been monitoring a new variant called KeyPass along with other researchers in the security community.

In SecureList’s blog post, KeyPass ransomware has been lingering and evolving in cyberspace that started this month while people are focused on the emerging cryptocurrency mining malware. It has been wreaking havoc globally with Brazil and Vietnam as the hardest hit.

Kaspersky describes KeyPass as an “indiscriminate piece of ransomware” that infected computers from Aug. 8 to Aug. 10 with no particular preference.

The security researchers explain that the ransomware uses “fake installers that download the ransomware module.” When it had infected the victim’s computer, it then copies “its executable to %LocalAppData% and launches it.”

Ransom note

Upon self-replication, the malware will pass the encryption key and victim ID.

KeyPass is indiscriminate as it also scans all files not minding file extensions. “It skips files located in a number of directories, the paths to which are hardcoded into the sample,” the researchers write.

“Every encrypted file gets an additional extension: “.KEYPASS” and ransom notes named “”!!!KEYPASS_DECRYPTION_INFO!!!.txt”” are saved in each processed directory,” Kaspersky Lab explains.

The malware then leaves its “ransom” note with TXT file extension where it commands the victims to “purchase a program and an individual key for file recovery.”

“Free of charge”

The criminals will lure the victims further by inviting them to send a couple of files for them to decrypt “free of charge.”

It will cost the victims $300 to get back their files. The criminals, who provide email addresses, up the urgency by demanding that the “price is valid only for the first 72 hours after infection.”

“However, we recommend not paying the ransom,” advises the researchers at Kaspersky Lab.

They explained: “If for some reason the computer is not connected to the Internet when the malware starts working, the malware cannot retrieve the personal encryption key from the C&C server. In that case, it uses a hard-coded key, meaning that the files can be decrypted without any trouble; the key is already at hand. Unfortunately, in other cases, you won’t get off so lightly: Despite the fairly simple implementation, the cybercriminals made no errors with the encryption.”

The researchers admit that “the tool for decrypting files hit by KeyPass has yet to be developed.” They gave simple, but almost self-explanatory precautions, to protect users from ransomware. These include being wary of what users click on the internet. If it looks suspicious, and users should always be suspicious, just refrain from clicking it. Back up all important files so the criminals won’t get a penny from users because the users have duplicates of files the criminals stole.

Categories: News

Tagged as: , , , ,